[eluser]JanDoToDo[/eluser]
"That’s not random. If the ‘algorithm’ of your script gets compromised, you basically compromised your entire dataset, since it uses a predictable outcome: every password goes through the same ‘function’. Generating a rainbowtable once this piece of info is known is trivial."
The code would however produce a different salt for each user and also, if only the db was compromised then the salt is not known and so the rainbow atack would be made EVEN more difficult...? (although I do accept if your db is compromised your whole site is probably anyway). Eitherway the salt is introduced - it must be coded somewhere, and your point about the script being compromised would be equally true for my salting method and a different salting method as it will be coded somewhere how the salt is added. However, my point was that if the script isnt compromised then the salt isnt known, and im sure there are standard things people do to combine salt/hash and the hacker would know these and be able to test(if he had the salt). If the salt isnt known they cant do that? Obviously it would all take way too long for anyone to do anyway..true?
