RE: Values to use for a salt?

>     I think (and I'm aware that I might prove wrong) that salt is for weak
> algorithms and weak passwords, set by regular users, not by a security
> administrator. But I would not let regular users set their own passwords,
> and use them for years ...
> 
> Regards,
> Marian

For a dictionary attack the algorithm is irrelevant: the outcome is
calculated in advance. An attacker has time. A week or two extra to build
the hashed dictionary won't really matter. And I am not even talking about
government intelligence agencies (CIA, FBI, GCHQ, Mossad) with their
$10,000,000 Cray supercomputers.

A salt is needed more with weak passwords than strong passwords because weak
passwords can be found with a normal dictionary attack. But even for strong
passwords there is a case for salting. But even when you run my default
password '$3qR€Et!' (pretty strong, especially because of the EURO sign)
through the algorithm: salted is safer because you cannot precompute all
strong passwords and salts unless you own a couple of those Crays.

Ton Geurts

BtW, if anyone thinks that the above is my real password: I'm a blond and I
am male, but I am not that stupid! My real password is