"Jim C. Nasby" <decibel(at)decibel(dot)org> writes:
> Something that just occured to me... if you're using a random salt, you
> can change it periodically without any disruption. So in the case of a
> site that's worried about brute-forcing a password or hash you can
> periodically update all the salts with new random values.
Not unless you force the users to change passwords. How are you going
to use MD5(passwd,oldsalt) to derive MD5(passwd,newsalt) when you don't
know passwd?
regards, tom lane