With all the layers it is almost irrelevant, but is the hash MD5 or something considered secure?  MD5 has been deemed inferior for quite awhile now.  It sounds like you use some unique way to make the salt and key very difficult to determine, and that implies encryption and not a one way hash like MD5 or SHA1.  So, I am afraid that I did not quite follow what was hashed and stored in the database.  Clearly running a lot of crypto and getting a hash of the result for every login would be expensive, do that is why I ask.