Is time() a good salt?

Question

I\'m looking at some code that I have not written myself. The code tries to hash a password with SHA512 and uses just time() as the salt. Is time()

Answer 1

No, time() is not a good salt

It's best not to reinvent the wheel when it comes to authentication, but to answer your question, no. The problem with time():

• It's predictable and it correlates to potentially discoverable things. These issues make it easier to cross-match different hashed results.
• There aren't very many possible values. Since the high-order bits don't change, it's an even narrower salt than it first appears.
• Using it repeats previous mistakes. If this app were the first one to use time() as a salt, at least it would require a new attack.