Salts do not prevent brute force attacks. However...

NOT USING SALTS MAKES RAINBOW TABLE ATTACKS TRIVIAL.

Seat belts don't prevent cancer, but they sure as hell help in a car accident.

Every secure password storage scheme is randomized. None of them need explicit salts; salting is built in. If you have to provide the salt, you are doing something wrong.

If you want to advocate the usage of pre-built password libraries, go right ahead. But please find a way of promoting it without adding confusion about the use of salts.

If you are adding your own salts, you are doing it wrong.

There is no secure password storage scheme that doesn't randomize.

What you are saying is morally equivalent to "if you want to use a preexisting block cipher that's fine, but don't confuse people about the need to use nonlinear substitutions". No, if you are designing your own s-boxes you are doomed. Use AES.

This isn't worth arguing about except that you strike me as one of these people that think they're doing it right because they add salts to their hashes. No, you aren't.

Let me repeat: salt is built in.

Also, if you're trying to bruteforce just any hash from a long list of hashes, an unsalted hash means that you can try every word in your dictionary against all hashes at once; for Facebook's 500 million users, a sufficiently-long salts (bcrypt's 64-bit salt qualifies) really does help a lot.

I hope by this point you have a TextExpander shortcut for that URL. It's amazing how frequently it's useful in discussions.

Just being proactive about the otherwise inevitable "that's why I use 64 bit salts" thread, is all.

Which gives me yet another thing to add as a client-side script for my new discussion site: "Your post mentions the word "salt", have you read..."

Terrific idea, force them to answer a question too before continuing. Another good test would be for 'strong' or 'weak' typing, linking to this: http://cdsmith.wordpress.com/2011/01/09/an-old-article-i-wro...