md5 hashing using password as salt?

Question

md5($password.md5($password))

is this good enough for password hashing? I am not asking for comparing this to something like bcrypt.

if it

Answer 1

Although it seems quite enough to me, it will be in danger in case if someone precomputed a rainbow table based on the same algorithm (what is quite possible). So, I'd rather use an email for the salt which seems pretty secure yet usable. Paranoids may add some constant site-wide salt.

People often makes too big deal out of password salt (in theory), while in their applications they allow simple passwords and transfer them in plain text over insecure HTTP in practice.

Every freakin' day I see questions regarding salt or hash.
And not a single one regarding password complexity. While

The only your concern should be password complexity.

Why? Let me show you.

extraordinary good salt + weak password = breakable in seconds

It is always assumed that salt is known to attacker. So, by using some dictionary of most used passwords and adding [whatever extra-random-super-long] salt to them, a weak password can be discovered in seconds. Same goes for brute-forcing short passwords.

just sensible salt + strong password = unbreakable

Quite unique salt makes precomputed tables useless and good password makes both dictionary and brute-force attacks good for nothing.