For those who still don’t get it: a salt is not some kind of extra password. The entire world may know what the salt is. The salt is a way to lengthen the user password to such an extend that it will be undoable to create a generic rainbow table up front.
If you use a salt, a cracker will have to build a new rainbow table specially for that salt. I don’t know if anyone ever tried to use brute force to retrieve one of their own passwords, but trust me, it’s a pain, as long as the password is long enough. Building a rainbow table is basically doing brute force, but then you also store every combination you generate, so you can check other hashes with earlier attempts.
Of course, after a while a determined cracker will have generated a rainbow table for a specific salt also, so there the user specific salt comes in. If you choose this user specific salt well enough, a cracker will have use brute force for every single password you stored. Saving the results in a rainbow table is useless now, because the majority of the bits that were used to generate the password hash, are unique per user.
[tinfoil_hat] I guess only the NSA has the capacity and the use for such huge rainbow tables. And trying to fight the NSA isn’t going to attract a lot of users, who, after all, only want to see your fluffy bunny dancing.[/tinfoil_hat]
In short: you don’t need to secure the salt, you only need to make it unique, lengthy and random.