[eluser]bretticus[/eluser]
So if the hacker gets your database with your random salt (or even the decoy salt field and the real salt field) and gets your source code with yet another static salt, he or she can still create a rainbow table for each record. In other words, it really can't take too long to hash a dictionary against your static and random salt because he or she knows what order to do so, for one. If hashing took tremendous amounts of time, we wouldn't use it. So a weak password with all the salting in the world is still weak if the hacker has access to your system. Thus, I think a strong randomly-generated static salt string in your code is good enough for the situation that the hacker gets away with the database and not your code. However, I do see that a random salt would slow the hacker down significantly in the situation that the hacker got code and data. I guess it comes down to how long it takes to hash an entire dictionary of weak passwords.
Tell me if I'm wrong, but we're back to enforcing strong passwords now, right?