What I meant is that it shouldn't be per user, it should be per password. If a user changes his password, he should get a new salt.