I am creating a user login function but I've seen mixed views on the best way to do this.
Here's what I was thinking of doing...
Is this overkill, wrong, or even not secure enough??
Salting protects against rainbow tables, so having 2 salts isn't going to be any better than 1. The hacker needs to know the salt in order to crack your password with a rainbow table, the only way they can do that is if they have access to the database table. And if they have that they have both salts anyway.
The longer the password the harder it will be to do it with brute force, so a longer password is going to be better than extra salt.
Salting and hashing your username will add unwanted over-head every time you read the username from database. With the password you only need to salt and hash at log-on.
Ideally use something like BCrypt where the cryptographic hashing function can be adaptively slowed down over time as moore's law continues. This will reduce the chance of a brute force attack.