There seems to be a ton of confusion about what a hash is. A few points people seem to be missing:
- It is not a secret value
- It does not make any one password less susceptible to a dictionary attack
- It makes the database as a whole less susceptible to large-scale attacks
Rainbow table attacks are basically a scan for the “low-hanging fruits” of the password database. They immediately reveal the insecure passwords, but typically will not crack the better ones. Salts prevent these attacks from scanning the whole table at once.
@Aaron G:
Very interesting point. The username/password combination being a dictionary word is fairly intuitive, but you’re absolutely right that even using the hash of the username doesn’t add much security.