[wolf550e]

Nobody uses rainbow tables or cares to mitigate them. People care that GPU rigs get hundreds of billions of hashes-per-second[1] against a single-iteration salted hash. So all 8-char case-sensitive alphanumeric combinations can be checked in 18 minutes[2].

1 - https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a27...

2 - (pow(26+26+10, 8) / 2*pow(10, 11)) / 60

[akvadrako]

If you are attacking just one password, that makes sense. But if you want to check all the compromised accounts for easy to guess passwords, a salt will increase the cost.

[wolf550e]

Salt won't save you. For checking most common passwords against stolen database, you try the top one million most common passwords against each hash, at a rate of 200,000 hashes per second.

A dictionary-based attack that tries variants and inserts digits and spends one second per hash will catch the less common passwords.