Michal Zalewski wrote: > Not really? I just need to rebuild my dictionary for that salt, but to > check against say a million or ten million of common domains, it > wouldn't be very expensive. And it's not very expensive to build such a > list of domains, too.
In that case, you are certainly correct; adding a salt only hinders an attacker. But if we're worried about Origin giving away a secret intranet website, I think things should be reasonable. Of course, they can still dictionary brute-force it... (whoops, forgot to CC list)