Still claiming that the best practice would be to use a site-wide and
a per record salt. Both methods are widely used and has there
advantages. As I wrote, on a per record basis the attacker needs so
much time to compute just one password that it's unlikely to worth
trying, while using a main salt hash means that if only the database
was hacked, it's nearly impossible to get the passwords.
By the way, here's my way to compute salts:
for ($i = 0; $i < 50; $i++)
{
$passwordSalt .= chr(rand(33, 126));
}
