If it's random, you need to store it, and it becomes just as available on a leak. The salt still works though, because it makes all hashes different. You need to attack each password individually rather than tackling them all with a rainbow table or something. The approach from this article also stops working. What you use as a salt is fairly irrelevant as far as I can tell.
If you want to get more security on top of that out of your salt, the only thing I can think is to add some security by obscurity on top: If it doesn't matter which field in the DB you use, just pick an unlikely one and keep secret which one it is. Might be id, email, favourite pet, or something else. Just don't forget to update the hash when the user changes that field.
If you want to get more security on top of that out of your salt, the only thing I can think is to add some security by obscurity on top: If it doesn't matter which field in the DB you use, just pick an unlikely one and keep secret which one it is. Might be id, email, favourite pet, or something else. Just don't forget to update the hash when the user changes that field.