Earlier versions of Unix used a passwd file to store the hashes of salted passwords (passwords

prepended with two-character random salts). Note that in these older versions of Unix, the salt is
also stored in the passwd file (as cleartext) together with the hash of the salted password. The
passwd file is publicly readable for all users of the system. It must be readable so user-privileged
software tools can find user names and other information. The security of passwords is protected
only by the one-way functions (enciphering or hashing) used for the purpose.

Early Unix implementations limited passwords to 8 characters and used a 12-bit salt, which
allowed for 4096 possible salt values. While 12 bits was good enough for most purposes in the
1970s[citation needed] (although some[who?] expressed doubts even then[citation needed]), by 2005 disk storage
had become cheap enough that an attacker can precompute the hashes of millions of common
passwords, including all 4096 possible salt variations for each password, and store the
precomputed values on a single portable hard drive. An attacker with a larger budget can build a
disk farm with all 6-character passwords and the most common 7- and 8-character passwords
stored in hashed form, for all 4096 possible salts.

The salt helps protect against an attacker using a precomputation or dictionary attack. When a
salt is used, the attacker needs to create a separate dictionary for every salt value. However, if the
salt isn't random you give the attacker an advantage, because they can create dictionaries that are
more likely than others. For example, they could create a dictionary using a salt of jsmith (or
hash of jsmith). For this reason, it is generally a good idea for the salt to be random.

Comparing a precomputation attack against a hash(username) salt and a random salt: let's say for
example the attacker decides to create dictionaries for the most common 1000 usernames and,
say, half a dozen different hash algs; that's 6000 salts and so 6000 dictionaries. If a random 32 bit
salt is used that's 2^32 or circa 4.2 billion dictionaries. So when the salt space is dramatically
reduced (like it is by using hash(username)) precomputed attacks become much more feasible