2 May 01, 2010 06:01
This doesn't make much difference since $salt must have some fixed value in order for b2evo to compare user passwords.
If a hacker dumps the database he/she will get the $salt value too. It will take just a minute for hacker to modify the brute-force script for "$md5(md5($salt).md5($pass))" scheme.
This modification may only protect from script kiddies ;)