Would it be considered good practice to make the salt for a password the hash of the user's username?

Question

I heard it was good practice to have each user have a unique salt, when I'm hashing a user's password with a salt. My question is, can I make my salt a hash of the user's username? Ex.

$username_hash = hash($username);
$pwd_hash = hash($username_hash + $password);

Would something like that be considered acceptable? And more importantly, secure?

Edit:

I know I could do

    $pwd_hash = hash($username + $password);

But if I do that it doesn't protect from rainbow tables, although a hash of the username would.

Possible duplicate of Is it a good idea to use the user's username as a salt when hashing a password like hash(username_str + password_str)?, Why not use username as a password salt?, Is it acceptable to generate salts with a hash of the username?. — Steffen Ullrich, Oct 29 '17 at 17:46
Consider using a well-developed framework or authentication library that handles these implementation details properly. — multithr3at3d, Oct 29 '17 at 18:12

score 3 · Accepted Answer · answered Oct 30 '17 at 02:44

No.

Remember that people tend to reuse passwords from service to service. If two systems use your scheme and someone uses the same username and password on both systems, then they will end up with the same hash in both cases.

Salts aren't secret, and technically the randomness requirement on them isn't as strong as what is required for cryptographic keys, it is best to generate them the same what that you would generate keys just to avoid this and other sorts of mistakes that people make when creating salts.

Would it be considered good practice to make the salt for a password the hash of the user's username?

1 Answers1