One small nit: the salt might be 22 characters. Moodle uses the default password hashing algorithm for the password_hash() function (since at least Moodle 2.7, which is the oldest version I have around to check for) . As of today, that algorithm is Bcrypt, which in the PHP implementation users a 22 character salt (it's actually a 128bits salt, encoded as 22 characters using Radix-64 encoding). But as the password_hash() documentation states, that might change as stronger algorithms are added to PHP (and you can see that Argon2 is already available, which is a stronger algorithm than Bcrypt).
Going back to the original question, and assuming PHP continues to use the Bcrypt algorithm in the near term future, having a user configured salt might be better or worse depending on how that user salt is created. Three things to be taken into account are:
- Bcrypt always uses a 128 bit salt
- If you want to use a salt combining the user salt and the Moodle one[1], you'd need to combine both into a single 128 bit salt.
- From a security point of view, the more random the salt, the better.
So if the user salt/Moodle salt are not very random, and/or you combine both salts in a way that the result is less random that any of them, you might end up with a worse salt and thus a waker overall results.
Saludos.
Iñaki.
[1] Moodle doesn't create any salt itself, it simply omits the salt option and lets PHP generate a random salt each time password_hash() is called. I haven't looked at PHP code, but I assume they are using a good CSPRNG[2] to generate those random salt values.
[2] https://en.wikipedia.org/wiki/CSPRNG
