[eluser]Rick Jolly[/eluser]
[quote author="Chad Fulton" date="1262921186"]
I think you may need to rethink your thoughts on #2 and #3. As people above have mentioned, if you have the code and the database, and the passwords have hashed in some way, then your only solution to retrieving the original passwords is to create a rainbow table. There are three cases:
1. A standard hash has been used (md5, sha, etc), in which case you can just use an existing rainbow table.
2. A standard hash has been used with a site-wide salt, in which case you need to make a
single rainbow table using that salt
3. A standard hash has been used with a per-user salt, in which case you need to make
one rainbow table per user using their specific salt
So, as you can see, it definitely makes a difference whether you use a per-user or site-wide salt.
[/quote]
But creating a rainbow table for each known salt is not hard or time consuming. Let's say you have a dictionary of 1 million common passwords. If you have the salt, you can md5 the entire dictionary with the salt in about 30 seconds using php.
