I have heard that the only purpose of a salt is to prevent rainbow table attacks, but surely it must have more value than this? Would it not prevent a dictionary-based attack too? And what about brute-forcing, would a salt be of any use there? And could you explain why, please?
Second, suppose I had an algorithm that took the microtime, a 128 character salt and a random number between 1 billion and 10 billion, and hashed them together. Would this provide a great level of security? For even if the attacker knew one of those details, it seems to me that it would still be computationally infeasible to calculate the rest. Is that right, though?
Thanks,
Ben
Edit: To clarify, the attacker doesn't have access to the hashing algorithm, so they can't spam any information to the system. All they have is the hash and they have to work out how it was compiled. Surely even if they knew how the hash was generated, trying to brute-force all the combinations with a long salt would make it unrealistic to do?
Also, the hash isn't of the user's password or username, it's just a random set of characters used for authentication. So the salt and random number don't need to be stored, just the resulting hash. In that case would the above system, represented in something like the below code, be a good system to prevent an attacker from being able to realistically guess what a user's hash might be?
$salt = "some random characters I made up";
hash('sha256', microtime(true).$salt.mt_rand(1000,9999));
I know that's only 1000-9999 instead of the billions mentioned above.
Thanks again.