RE: Values to use for a salt?

> My understanding is that salts are used to help deter dictionary attacks
> where the attacker has created a pre-hashed list of passwords and
> comparing them against the actual hashed passwords.  Using salts means the
> attacker must compute all possible values of the password in the
> dictionary plus by the possible salts, which makes it computationally
> unfeasable.
> 
> Also, how much less secure would it be to use a user ID as the salt
> instead of a random salt that then has to be stored?  I've been thinking
> about these, but feel I am missing important ideas.
> 

I don't know if my approach is a good one (probably not; I am no expert) but
I always store my UID, password in a database with a timestamp. 
My password hash is md5(timestamp & md5(password)). That way every hash has
a unique salt that changes with every password change. It makes precomputed
dictionaries virtually useless. Unless you have direct database access.


Ton Geurts
geurts <shift+2> vanveen <.> nl