Question

Bob thinks that generating and storing a random salt value for each userid on a particular server is a waste of resources. Instead, he proposes that his system administrators simply use a SHA-1 hash of the server's static IP address as the salt. Describe whether this choice impacts the increased security of using a salt for passwords, and include a brief analysis of the respective search space sizes

Answer 1

Wacky hash functions (eg. SHA-1) are a good thing, because it's better if the attacker doesn't know which hash function is in use, it's less likely for an attacker to have pre-computed a rainbow table for the wacky hash function, and it takes longer to compute the hash function.

An attacker cannot attack a hash when he doesn't know the algorithm, but noteKerckhoffs's principle, that the attacker will usually have access to the source code (especially if it's free or open source software), and that given a few password-hash pairs from the target system, it is not difficult to reverse engineer the algorithm. It does take longer to compute wacky hash functions, but only by a small constant factor. It's better to use an iterated algorithm that's designed to be extremely hard to parallelize (these are discussed below). And, properly salting the hash solves the rainbow table problem.