I was reading a thread in Slashdot about a recent online MD5 Hash Database which can perform hash lookups. To my surprise i've found that some of my drupal password hashes are actually in the database. I thought that drupal performed hashing with some kind of 'salt' element but i've realized this is not true.
It seems to me a very big security flaw to calculate hashes directly without combining passwords with some other variable. It would be very easy to perform MD5 hashing over say 'user+password' string or any other combination in order to avoid MD5 collisions. I think every application which uses MD5 should *always* take care of this issue, but for a reason I don't know drupal seems not to do it yet.
Any comment will be appreciated.