On 04/24/2012 07:49 AM, Paul Foxworthy wrote: > Hi Adam, > > Maybe I'm missing something, but if the salt is a random length and might be > 0 characters, doesn't that mean that some passwords, randomly, won't get the > benefit of a salt? Why not make the salt a fixed length, or a random length > with a reasonable minimum?
The key is that if you continously set the *same* password value, you will get *different* crypted output. With no salt, the same output will happen. Maybe I could have a minimum length of 1. The main thing, however, is to make it more complex for crackers to use a dictionary attack. As for having a fixed or random length, it allows for having a few more bits of randomness as part of the salt.
