Salts are near worthless since someone who has access to a web app or the source will probably be able to read the salt. The bcrypt recommendation is somewhat good though, but you can never be perfect. Currently in my web apps we use sha1, but we run it through about 10 times, so it slows an attacker down a bit.
If you don't have salt, the more passwords you have, the easier it is for someone to find one password by a dictionary attack. If you have a lot of passwords you should use salt, if you don't have a lot you still expect your app to grow don't you?
