Salting with an intrinsic property of the password

Question

From Wikipedia on Salt (cryptography):

A new salt is randomly generated for each password. In a typical setting, the salt and the password are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database.

But what if I don't have a discrete database? Is it okay to salt with an intrinsic property of the password, such as its reverse? Or even (better?) salting a password with the hash of the password? For example:

md5(md5("password") + "password")

Of course there are performance consequences, but if I'm working with a low-access system, would this kind of salting display any vulnerabilities?

Again, the main reason I would look into doing this would be to save myself a lot of trouble storing a salt.

Answer 1

Would this kind of salting display any vulnerabilities?

Yes. A key purpose of the unique salt is to ensure that users who select the same password will have different password hashes. If the salt is calculated as a function of the password, then users who share the same password will also share the same password hash.

With a database of hashes, an attacker can simply find hashes that appear multiple times. Such passwords are likely to be weak and attractive targets for a brute-force attack.

If you must store passwords and cannot store a dedicated salt, a better approach would be to use an invariant field associated with the account (e.g., username or account identifier) as the salt. This approach will protect against duplicate password hashes in your database.

Answer 2

Since you have to store the hash of the password plus any salt somewhere (else, how would you have anything to compare to when it comes time to authenticate), why not store them together?

It's not uncommon to store both the salt and the hash result of the password and salt in a single field. They can be teased apart when needed by using salts with constant lengths, or by using a separator character that is not part of the set of characters used in your salt.