A visible salt does not decrease the effectiveness of a brute force.
http://en.wikipedia.org/wiki/Brute_force_attack
Quoting the wikipedia article:
Quote:
|
For symmetric-key ciphers, a brute force attack typically means a brute-force search of the key space; that is, testing all possible keys in order to recover the plaintext used to produce a particular ciphertext.
|
For hashes, the only unknown would be the password. Thus only the length of the password would affect the time taken for the brute force.
The visible salt would however make a current rainbow table infeasible ONLY IF the salt is random (large) enough.
The current posts that are stating that the size of the salt does not matter is only correct for unknown salts. If the salt is visible, you need a salt that is longer then what current rainbow tables can crack.
http://www.codinghorror.com/blog/archives/000949.html
See the length of passwords the rainbow table supports in the above article. It seems 14 characters are about the limit but I'm sure there are larger tables out there.
I would not solely trust a hidden salt, since having database access usually means the attacker can gain access to the file system. So I think having a large visible salt is the best bet against rainbow tables.
Then having a hidden salt to make brute force harder. More importantly have key strengthening (
http://en.wikipedia.org/wiki/Key_strengthening) or a computationally intensive hashing algorithm to make brute force ineffective such as mentioned here:
http://chargen.matasano.com/chargen/...w-about-s.html