Before i start, i know the MD5 is compromised (collision attack and speed of hashing) and shouldn't be used to hash passwords, but just for the sake of it, bear with me.
My questions are: How does the salt position when hashing with md5 affects the "quality" or the "strength" of the hash?
Say i have the the following piece of code, which hashes a users password using parts of his email address as salt:
<?php
$email = '[email protected]';
$password = 'RandomPassWithChars';
$segments = explode('@', $email);
list($saltPart1, $saltPart2, $saltPart3) = $segments;
$hash = md5($saltPart1.$password.$saltPart3.$saltPart2);
?>
Is that code going to slow down a brute force / dictionary / rainbow table attack, than say:
<?php
$password = 'RandomPass';
$salt = 'RandomSaltStoredInTheDatabase';
$hash = md5($password, $salt);
?>
Is it worth trying to salt a password like in the first code or it yelds the same result as the second code? Are there any benefits from that? Does the first code delay cracking a list of passwords hashed that way than the second way of doing it?
Which leads me to a second question: Is it secure storing the salt in the database than obtaining a salt from a user id (say the email address) ? The way i see it, once an attacker has obtained a copy of the database which also cantains the salts it makes his life a little easyer trying to crack the hashes. But if the salts are not stored, the attacker would also need the algorithm that creates the salts. PLEASE CORRECT ME IF I'M WRONG.
I hope i made my self clear. Thanks for any answers in advance.