I'm about to set up my registration form to send out an activation email containing a unique code (pretty standard).
I'm already storing in my database a randomly generated salt for each user, which is applied to their password on registration.
My question is, is there any reason that I shouldn't just use that salt as the unique code used for activation emails? This wouldn't save me any work, but it could save database space over time. Mostly I'm just curious what people think of showing the user his password salt.
This is not necessarily a good solution, but as the salts are unique it shouldn't be a huge concern. You could rot13 and base64 encode the salt. Then, no one will actually know that it is the salt, and you could easily reverse it to look it up.