I wish to ask a question about just how effective salting is if a web user chooses an incredibly easy-to-guess password. I have read (and re-read) the following webpages, but I feel my understanding is still not 100% clear.
How does password salt help against a rainbow table attack?
From the second of the URLs above, the following can be found (courtesy of user "Ross"):
To understand the first one, imagine a single password file that contains hundreds of usernames and passwords. Without a salt, I could compute "md5(attempt[0])", and then scan through the file to see if that hash shows up anywhere. If salts are present, then I have to compute "md5(salt[a] . attempt[0])", compare against entry A, then "md5(salt[b] . attempt[0])", compare against entry B, etc. Now I have n times as much work to do, where n is the number of usernames and passwords contained in the file.
Now, I understand that the introduction of a unique salt to each record in the table makes it n-times more difficult for the hacker to hack the passwords. But what if the web user is naive enough to have "password" or "dog" or "cat" as his password? If I understand the StackOverflow answers correctly, each unique salt for each record in a database table is not kept secret. A hacker who manages to breach the database can easily individual salts. The salts are MEANT to slow down a hacker because a hacker would need n rainbow tables instead of one rainbow table. BUT, if a web user has the password cat, and this web user happens to be the first or second or third record in a 10000-record long table, then
$hash = sha512($salt.cat)
will not protect the naive web user from being hacked, will it? Because the hacker KNOWS the salt, and he might append or prepend the salt to an easy password, and he will know the hash. And he will then use a rainbow table and the web user's data is compromised. Am I right in understanding that the POSITION of a web user's record in a table, and the simplicity of a web user's chosen password, can undermine even the most ingenious hash because the hacker has access to the salt?