I am debating using user-names as a means to salt passwords, instead of storing a random string along with the names. My justification is that the purpose of the salt is to prevent rainbow tables, so what makes this realistically less secure than another set of data in there?
For example,
hash( md5(johnny_381@example.com), p4ss\/\/0rD)
vs
hash( md5(some_UUID_value), p4ss\/\/0rD)
Is there a real reason I couldn’t just stick with the user name and simplify things? The only thing my web searching resulted was debates as to how a salt should be like a password, but ended without any reasoning behind it, where I’m under the impression this is just to prevent something like a cain-and-able cracker to run against it without being in the range of a million years. Thinking about processing limitations of reality, I don’t believe this is a big deal if people know the hash, they still don’t know the password, and they’ve moved into the super-computer range to brute force each individual hash.
Could someone please enlighten me here?
You’ll run into problems, when the username changes (if it can be changed). There’s no way you can update the hashed password, because you don’t store the unsalted, unhashed password.