| but be sure that you can generate this hashed password in the future when you need to authorize user | |
|---|---|
| What I'm trying to say, that it's better to use any salt, than not to | So, if someone with good enough a memory would see that hash and know that it's the hash of an empty string |
Also, double-hashing is generally regarded as bad method, because it diminishes the result space.
14| All popular hashes are fixed-length | The idea of a salt is to throw the hashing results off balance, so to say |
|---|---|
| That way, they will have to generate a rainbow table for each and every record in your system, not just one for your entire system! But, if the passwords were salted, such a service would become ineffective | By using a salt any salt , you're preventing the use of a generic to attack your hashes some people have even had success using Google as a sort of rainbow table by searching for the hash |
If you would get access to a database that stores plain md5-hashes, it would be trivial for you to enter the hash for the admin to such a service, and log in.
27