For example, we do not use password_hashand use crypt()in place sha512instead of hash passwords. We need to add salt to the password so that the attacker cannot use the rainbow table attack. Why should salt be good and very random, as many SO answers indicate? Even if the salt is slightly different or not very random, it will still give a completely different hash from the others. Thus, the attacker does not know who uses the same passwords, and he still can not create only one rainbow table.
password_hash
crypt()
sha512
The calculation and storage of strong salt requires minimal effort, but reduces the likelihood that the rainbow table will be pre-calculated with salt, astronomically small.
If the salt was a 3-digit number, it would be possible for an attacker to have pre-computed rainbow tables for all possible salt combinations. If the salt is a random 24-character alphanumeric string, the likelihood that the attacker can pre-calculate it for all possible salts is practically zero.
, . , . , , .
, ( ), . - , , 1-1000 ( ).
. ( ), . , , . , , ( ).
, , . , , .
, , , , , , , . - . , . , admin .
, , (dev/urandom), , . , , , , ?