[MuffinFlavored]

How does a password cracker brute force against a password hash (say MD5 or SHA256, I know bcrypt is designed specifically for terrible brute force efficiency) if it has a random salt? Is the salt known and just uselessly stored with the password + easily retrievable during a login attempt or database leak?

[cjcampbell]

The salt is typically stored as a prefix to the hash. Its job is not to be a secret, but to ensure that an individual effort must be made to crack each password. I can’t precompute and store the hashes or otherwise reuse previous work.

Another way to look at this is that the salt prevents information leakage from the hashes. Even if the same password occurs dozens or hundreds of times in the same database, unique salts will ensure that every hash is unique.