[eluser]Rick Jolly[/eluser]
The per-user salt is a
bad idea. I'll try to explain why through scenarios:
1. Attacker doesn't have code or database access: Attacker can't use a rainbow table with either site-wide or per-user salt. Guessing the password is the only option.
2. Attacker has code and database: No difference using per-user salt or site-wide salt.
3. Attacker has code, therefore he has the database credentials. See #2.
4. Attacker has database, but not code: Attacker can't create a rainbow table unless he can guess how the salt is applied. That would be easy to do though if per-user salts were stored in the database, since as soon as the correct algorithm for applying the salt were guessed, the rainbow table would be revealed. So, site-wide salt could be combined with the per-user salt, but using just a site-wide salt alone would be just as secure since a rainbow table can't be created if you don't know the site-wide salt - see #1. So a per-user salt when combined with a site-wide salt is useless and just adds overhead.
