UPDATE: I recently learned from this question that in the entire discussion below, I (and I am sure others did too) was a bit confusing: What I keep calling a rainbow table, is in fact called a hash table. Rainbow tables are more complex creatures, and are actually a variant of Hellman Hash Chains. Though I believe the answer is still the same (since it doesn’t come down to cryptanalysis), some of the discussion might be a bit skewed.
The question: ‘What are rainbow tables and how are they used?‘
Typically, I always recommend using a cryptographically-strong random value as salt, to be used with hash functions (e.g. for passwords), such as to protect against Rainbow Table attacks.
But is it actually cryptographically necessary for the salt to be random? Would any unique value (unique per user, e.g. userId) suffice in this regard? It would in fact prevent using a single Rainbow Table to crack all (or most) passwords in the system…
But does lack of entropy really weaken the cryptographic strength of the hash functions?
Note, I am not asking about why to use salt, how to protect it (it doesn’t need to be), using a single constant hash (don’t), or what kind of hash function to use.
Just whether salt needs entropy or not.
Thanks all for the answers so far, but I’d like to focus on the areas I’m (a little) less familiar with. Mainly implications for cryptanalysis – I’d appreciate most if anyone has some input from the crypto-mathematical PoV.
Also, if there are additional vectors that hadn’t been considered, that’s great input too (see @Dave Sherohman point on multiple systems).
Beyond that, if you have any theory, idea or best practice – please back this up either with proof, attack scenario, or empirical evidence. Or even valid considerations for acceptable trade-offs… I’m familiar with Best Practice (capital B capital P) on the subject, I’d like to prove what value this actually provides.
EDIT: Some really good answers here, but I think as @Dave says, it comes down to Rainbow Tables for common user names… and possible less common names too. However, what if my usernames are globally unique? Not necessarily unique for my system, but per each user – e.g. email address.
There would be no incentive to build a RT for a single user (as @Dave emphasized, the salt is not kept secret), and this would still prevent clustering. Only issue would be that I might have the same email and password on a different site – but salt wouldnt prevent that anyway.
So, it comes back down to cryptanalysis – IS the entropy necessary, or not? (My current thinking is it’s not necessary from a cryptanalysis point of view, but it is from other practical reasons.)
Salt is traditionally stored as a prefix to the hashed password. This already makes it known to any attacker with access to the password hash. Using the username as salt or not does not affect that knowledge and, therefore, it would have no effect on single-system security.
However, using the username or any other user-controlled value as salt would reduce cross-system security, as a user who had the same username and password on multiple systems which use the same password hashing algorithm would end up with the same password hash on each of those systems. I do not consider this a significant liability because I, as an attacker, would try passwords that a target account is known to have used on other systems first before attempting any other means of compromising the account. Identical hashes would only tell me in advance that the known password would work, they would not make the actual attack any easier. (Note, though, that a quick comparison of the account databases would provide a list of higher-priority targets, since it would tell me who is and who isn’t reusing passwords.)
The greater danger from this idea is that usernames are commonly reused – just about any site you care to visit will have a user account named ‘Dave’, for example, and ‘admin’ or ‘root’ are even more common – which would make construction of rainbow tables targeting users with those common names much easier and more effective.
Both of these flaws could be effectively addressed by adding a second salt value (either fixed and hidden or exposed like standard salt) to the password before hashing it, but, at that point, you may as well just be using standard entropic salt anyhow instead of working the username into it.
Edited to Add: A lot of people are talking about entropy and whether entropy in salt is important. It is, but not for the reason most of the comments on it seem to think.
The general thought seems to be that entropy is important so that the salt will be difficult for an attacker to guess. This is incorrect and, in fact, completely irrelevant. As has been pointed out a few times by various people, attacks which will be affected by salt can only be made by someone with the password database and someone with the password database can just look to see what each account’s salt is. Whether it’s guessable or not doesn’t matter when you can trivially look it up.
The reason that entropy is important is to avoid clustering of salt values. If the salt is based on username and you know that most systems will have an account named either ‘root’ or ‘admin’, then you can make a rainbow table for those two salts and it will crack most systems. If, on the other hand, a random 16-bit salt is used and the random values have roughly even distribution, then you need a rainbow table for all 2^16 possible salts.
It’s not about preventing the attacker from knowing what an individual account’s salt is, it’s about not giving them the big, fat target of a single salt that will be used on a substantial proportion of potential targets.