hash salt complexity

Is there any benefit to using:

sha1($long_unpredictable_randomly_generated_salt.$password.$global_salt)

over

sha1(sha1($username).$password.$global_salt)

The unique salt is obviously stored in the database, while the global salt is in a configuration file on the server.

I know the purpsoe of a salt is just to be unique, and prevent pre-calculated hash tables.开发者_StackOverflow中文版. so I see no reason the long hash generated by sha1($username) is not good enough.. but as security is very important, I thought i'd ask for informative advice here from somebody who may know better :-)

The disadvantage is that the username is mostly known, so when someone knows this 'formula' you made up, he can just calculate sha1(user_to_hack) and this part won't have any additional benefit. In fact, it won't matter much if you use sha1(username) or just username in this case.

In the other case, you're using a value that is not exposed, so even when someone knows your formula (which everybody knows now), he'll still needs the value of that unique salt too before it's any use to them, so they'll need to get to your database. I assume you're making up a unique salt for each user?

You'll probably need to get data anyway, so the unique salt is probably faster too, because you won't need to calculate the hash over username.

But anyway, both are pretty safe, but only if you implement the actual login procedure well. I wouldn't worry about which one to use right now.