diff --git a/wp-admin/setup-config.php b/wp-admin/setup-config.php
index bcfabd107a..0c68e2fe1e 100644
--- a/wp-admin/setup-config.php
+++ b/wp-admin/setup-config.php
@@ -168,6 +168,24 @@ switch($step) {
 	if ( !empty($wpdb->error) )
 		wp_die($wpdb->error->get_error_message());
 
+	require_once( ABSPATH . WPINC . '/plugin.php' );
+	require_once( ABSPATH . WPINC . '/http.php' );
+	wp_fix_server_vars();
+	/**#@+
+	 * @ignore
+	 */
+	function get_bloginfo() {
+		return 'http://' . $_SERVER['HTTP_HOST'] . str_replace( $_SERVER['PHP_SELF'], '/wp-admin/setup-config.php', '' );
+	}
+	/**#@-*/
+
+	$secret_keys = wp_remote_get( 'https://api.wordpress.org/secret-key/1.1/?salt=1' );
+	if ( is_wp_error( $secret_keys ) )
+		$secret_keys = false;
+	else
+		$secret_keys = explode( "\n", wp_remote_retrieve_body( $secret_keys ) );
+	$key = 0;
+
 	foreach ($configFile as $line_num => $line) {
 		switch (substr($line,0,16)) {
 			case "define('DB_NAME'":
@@ -185,6 +203,17 @@ switch($step) {
 			case '$table_prefix  =':
 				$configFile[$line_num] = str_replace('wp_', $prefix, $line);
 				break;
+			case "define('AUTH_KEY":
+			case "define('SECURE_A":
+			case "define('LOGGED_I":
+			case "define('NONCE_KE":
+			case "define('AUTH_SAL":
+			case "define('SECURE_A":
+			case "define('LOGGED_I":
+			case "define('NONCE_SA":
+				if ( $secret_keys )
+					$configFile[$line_num] = str_replace('put your unique phrase here', substr( $secret_keys[$key++], 27, 64 ), $line );
+				break;
 		}
 	}
 	if ( ! is_writable(ABSPATH) ) :
diff --git a/wp-config-sample.php b/wp-config-sample.php
index 3402b7b5f9..9806ae5ab3 100644
--- a/wp-config-sample.php
+++ b/wp-config-sample.php
@@ -34,18 +34,23 @@ define('DB_CHARSET', 'utf8');
 define('DB_COLLATE', '');
 
 /**#@+
- * Authentication Unique Keys.
+ * Authentication Unique Keys and Salts.
  *
  * Change these to different unique phrases!
- * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/ WordPress.org secret-key service}
+ * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/?salt=1 WordPress.org secret-key service}
  * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
  *
  * @since 2.6.0
  */
-define('AUTH_KEY', 'put your unique phrase here');
-define('SECURE_AUTH_KEY', 'put your unique phrase here');
-define('LOGGED_IN_KEY', 'put your unique phrase here');
-define('NONCE_KEY', 'put your unique phrase here');
+define('AUTH_KEY',         'put your unique phrase here');
+define('SECURE_AUTH_KEY',  'put your unique phrase here');
+define('LOGGED_IN_KEY',    'put your unique phrase here');
+define('NONCE_KEY',        'put your unique phrase here');
+define('AUTH_SALT',        'put your unique phrase here');
+define('SECURE_AUTH_SALT', 'put your unique phrase here');
+define('LOGGED_IN_SALT',   'put your unique phrase here');
+define('NONCE_SALT',       'put your unique phrase here');
+
 /**#@-*/
 
 /**