Is it acceptable to generate salts with a hash of the username?

Good salts are unique over the whole range of space-time.

A user does not change his name when he changes his password: that's a failure of uniqueness over time. (Similar case: an old user account is closed, a new user is registered and reuses the same name.)

A user has the same name on several distinct servers, which may employ the same hashing strategy: that's a failure of uniqueness over space. (Think, in particular, of all these users called "Administrator".)

User names are thus rather sloppy as salts. They are much better than no salt at all, but it is highly recommended to use proper random salts instead. 16 bytes (or more) from a cryptographically strong PRNG will give you much better uniqueness.


Think about most wanted usernames like tom, admin, user...

If you create x rainbow tables for the x most wanted usernames, then, for these x users, the attacker have just to look in the rainbow table for that username.