Re: Hashing and salt
Usually you to both. A secret string known to the server but not in the database, and a secret they is unique to each account. Your goal is to increase the cost of each guess that the bad guys need to make whilst not making your validation unfeasibly slow. They are used for protection against different attack vectors. Both will protect against a rainbow table (just a reverse dictionary measuring in GB or TB of millions or billions of hashes and the corresponding password). The power of a rainbow table is in reusability across multiple attacks and pretty much any reasonable length salt will mean that the hash won't be known up front (ie the bad guys need to invest a lot more, which is good)
A per server salt (rather per environment/application/etc) is useful because your validation logic knows that secret but it isn't in the database. That means that when the mongodb is left open to the world (don't get me started) it is still not possible to find the relation between password and hash.
A per user salt will inevitably require something accessible in the database (either encoded into the hash itself or in a field pertaining to the same field that doesn't change like username). The prime benefit of a per user hash is that if you and I use the same password because we like the same footy team or the same book (and we like most people don't follow recommended practice with password generation) then figuring out my password doesn't give away yours as it would if the hashes matched. Worse still, if my password hint gives away my password and my hash matched yours, that further weakens things. Worse again, I can find common hashes and collate all the password hints and join the dots. A per user hash solves all those.
Either way, don't roll your own scheme. Find a framework and use it. Recommended either bcrypt, scrypt or argon2 which use schemes that are much better at protecting against this and other attack vectors and generally require very little effort to implement.
Biting the hand that feeds IT
