Currently the entire shared secret is stored in the database. This can lead to inappropriate sharing of that information if a database backup is shared without being sanitized or a sql injection vulnerability. Drupal 7's password hashing uses a system of putting some information into the database and some in settings.php
So:
1. We need to start combining the key from the database and the $conf[''] in settings.php
2. We need to stop letting people enter the whole key in the admin interface and give documentation on how to set part of it in settings.php
This issue was discussed in private on s.d.o first and is now public after agreement on a new policy.
Closed: duplicate
2.0
Code