[brepl]

If the username is used as the salt when storing the hashed password in the database, it's unpossible to know if a supplied password is valid-but-for-a-different-account.

[nhumrich]

Wow, using the user as the salt is awesome. Is this considered an ok security practice?

[Aissen]

Why would anyone use that ? Best practices require that every user has a random (probablistically) unique salt. Just use bcrypt, or other password hash functions.

[Amorymeltzer]

Nah, user logins/emails often won't be long enough or random enough. See https://security.stackexchange.com/a/8024/28881 and https://stackoverflow.com/a/5565071/2521092

[swsieber]

Would it be an okay practice to prepend the username as extra salt, still using the randomly generated salt?

[Amorymeltzer]

Why not just use a longer salt? The username is only going to reduce randomness. Moreover, I don't buy the presumed advantage: nobody is really parsing that message to mean someone else could have the same password.

[marcosdumay]

Be careful about how you merge the username and the random salt.