Sending random password salt as activation code?

Question

I'm about to set up my registration form to send out an activation email containing a unique code (pretty standard).

I'm already storing in my database a randomly generated salt for each user, which is applied to their password on registration.

My question is, is there any reason that I shouldn't just use that salt as the unique code used for activation emails? This wouldn't save me any work, but it could save database space over time. Mostly I'm just curious what people think of showing the user his password salt.

Answer 1

This is not necessarily a good solution, but as the salts are unique it shouldn't be a huge concern. You could rot13 and base64 encode the salt. Then, no one will actually know that it is the salt, and you could easily reverse it to look it up.

Answer 2

If the user is a hacker, knowing their own salt would make it easier for them to crack their own account, but if everyone's salt is different, there would be no reason not to, if it's easier for you. Knowing your own salt only helps you as a hacker crack into your own account. So, in short, there is no real reason.

Answer 3

It would probably be best to use a separate, securely generated value.

As @SyntaxLAMP mentioned, using the salt as an activation code is a form of information leakage. This could also open the door to a MITM attack if someone is sufficiently placed to retrieve the salts of all registered users sent vie email in the clear.