So, reading through this article: http://crackstation.net/hashing-security.htm it says that storing the salt is fine in plain text because it renders the lookup/rainbow tables ineffective. I get that, but why not generate the salt from the submitted password and then never store that separately either?
Something like this:
<?php
$pass = '12345';
$salt = '';
// generate the salt somehow... probably not like this
$hash1 = hash('md2',$pass);
$hash2 = hash('md4',$pass);
for($i = 0; $i < strlen($hash1); $i += 2){
$salt .= $hash1{$i} | $hash2{$i};
}
// hash the results
$hashedPass = hash('bcrypt', $salt . $pass);