[eluser]Dan Horrigan[/eluser]
If you really want to confuse an attacker trying a brute force using rainbow tables, you could use a pseudo-random number generator with predictable results when using the same seed to get random characters out of a few of the fields as your salt (not stored in DB). The seed could the password creation time or something. The attacker would have to know your pseudo-random number generator algorithm and what fields you used just to get the salt, let alone creating the rainbow table.
This may make no sense, as it was just a brain dump, but an interesting idea i think. Obviously if the attacker gets your code too, you are kind of screwed no matter what encryption you use.