[eluser]n0xie[/eluser]
Quote:However, if the hacker was only after a few rows of the db and not all of them (sensitive user perhaps), it wouldnt matter if the rainbow table couldnt be used for all the rows - with the salt he can make a rainbow table for those few rows he wants?
That is if you also know the way in which the salt is applied. If that is the case you probably have access to the script as well as the database in which case your mechanism would compromise your whole dataset. In my case it would potentially put a few accounts at risk if they use weak passwords. If they use strong passwords the chance of a rainbow table collision is minimal. Keep in mind that rainbowtables can only store a certain amount of data: the bigger the dataset, the longer it takes to find a match.
The whole principle of a rainbow table is based on the fact that many passwords are weak: strong passwords + salt makes rainbow tables unusable.
