, blowdart wrote

*snip*

Not really, salts should, ideally, be unique. Even if they used the email address you're going to have a slow old time with rainbow tables, or precomputing.

Even if they used a single salt it's not really guessable as far as I can see.

 

I wonder if anyone use "lossy" encryption. This may sound dumb, but, if you simply crap out the original password, like say, when user supply the password, you do some stupid

foreach(char c in stringValue)    total += (int)c;

And use "total" as the new password and run it through encryption. So, even if they managed to hack the entire thing. All they get is garbage password, LOLz.

Obviously my example is bad because "PASS" and "ASSP" can both login, and the encoding is too lossy. But, basically if you can do this with balanced encoding quality, you are able to protect the user password as the encoding is lossy.

It is not the same as typical file encryption because you don't care about getting perfect binary back. You want to make sure after you decrypt the password 100%, it is still useless.