Tobias wrote:
Larger salt would be better... 4096 probably is not a large enough factor nowadays. LDAP uses 8 to 16 bytes of salt.
Hmm, you mean it'd be worthwhile to do the math up there?
There's no expensive (ie. large integer) math required. You just create a large enough random salt and append it to the password before hashing (which involves simple bit operations, not complicated math). The result is that you will be hashing a slightly larger string. For that little bit of effort by the good guy, we've increased the bad guy's effort by 2^128 (for 16 random 8-bit bytes of salt). A pretty good tradeoff!
Thanks for clearing up some of the misconceptions I may have caused, BTW. :-)
No problem. I get an education every time I read this list, and I'm glad to contribute a tiny morsel in return ;->