I'm pretty new to the whole password hashing business, so I might be missing something obvious.
I was looking at the bcrypt algorithm, in particular BCrypt.Net, and I was wondering if it wouldn't be more secure to compute a unique salt for each user instead of a random salt ?
At the moment the salt and the workload (# rounds) are exposed in the hashed password string. ($2a$ + 2 digit workload + $ + 22 character salt + 31 character hashed password) Aren't we helping potential hackers by giving them the salt (if they, for example, want to brute force the admin's password) ?
Couldn't we calculate the salt for each user by hashing (for example with MD5 or SHA1) their email address ?
If we then only save the 31 last characters of the bcrypt hashed password, leaving out the identifier, the workload (if we keep it fixed) and most importantly the salt. Wouldn't this make it a lot harder for person trying to find the password ?
(And on the plus side, we would gain some database space for large user databases, as the password is only 31 characters instead of 60)
I'm probably missing something obvious, as I can't be the first person to make this reflection.
Marc