Regarding Rule 2b, why did the author keep repeating "store the salt in the database along with the key". Why would you want to do this? A cracker would have access to your hash and your salt. Wouldn't it be trivial for him to append the salt and then do a regular old lookup table on common passwords?
At least if the salt is within the source code, it's hidden from plain view. Or did I miss something?
The salt does not need to be hidden. First of all, it needs to be unique per hashed information (password), so you cannot store it in code. Second, its purpose is to force any attacker trying to use a lookup tables to calculate one lookup table per password.
http://en.wikipedia.org/wiki/Salt_%28cryptography%29
Edit: also, instead of using a "system salt", why not use an HMAC to replace hash function?
At least if the salt is within the source code, it's hidden from plain view. Or did I miss something?