Thanks for the advice. I did both as you recommended
I think that from the Moodle site point of view, getting either of them (salt/db) would not actually be of any good as the actual password would be still unknown to the hacker, which of course is irrelevant because he could simply erase the password field and login to generate a new one.
However, as the password doesn't get to be known, at least personal data could be kept private if Moodle were to encrypt it.