@Paul: Aaron G’s not exactly right on the whole “static salt”/password issue. A “static salt” isn’t really a salt at all because it doesn’t obscure identical passwords in a database any more than plain hashing does. Still, usernames aren’t great salts as they tend to be short and use a narrow range of characters rather than the full character set range. Long strings generated by a high-quality PRNG are better. There’s also the problem that if a user uses the same username and password on two sites, they both use the username as the salt, and they both generate their salted hashes the same way, it’s immediately apparent to a cracker that they’re using the same password on one site as the other. The thing about hashes is that their lossy. When the cracker uses rainbow tables to crack a hash, they don’t necessarily get back the original string, but they might get back an equivalent string. If the two sites use the same salt, once the user’s password is cracked on one, it’s cracked on the other, but by using different salts, it has to be cracked for the other as all the cracker might have is a string which hashes to the same value as the password given a certain salt and hash.