Hi Mark_HE, you are correct, salt should be random value. I'll explain a bit below, as I think their use case is case 1) not 2).
There are two ways :
1) You can have a single random "salt" value you generate once, and use all the time.
This use of this salt makes your SHA256 "hash" different from the default SHA256 hash (without salt) -
It has convenience that two hashes of the same value will give the same hash value.
Best to store the "salt" seperate from the hashed data, so if someone gets backup copy of your database, without salt value they will have difficulty doing dictionary attack on your passwords for example.
May programs do this by hardcoding some salt into their code, it is not foolproof, but it is better than non salted.
So using md5 hash for demo :
~ $ echo "password" | openssl dgst -md5
(stdin)= 286755fad04869ca523320acce0dc6a4
If we have hardcoded salt value : 96cb3e0a
odonohue@ponyta ~ $ echo "96cb3e0apassword" | openssl dgst -md5
(stdin)= 1095e9066fed434c7a47959c452e3077
This gives us different answer to no-salt.
But also if our code hashes "password" twice for two different users we will get the same hashvalue of "1095e9066fed434c7a47959c452e3077".
I can see for this case, since they are hashing email addresses, this may be what they want, as they may want to know from logs that it is the same user (since it gives same hash), even though they do not want visible the actual email address for the user.
2) Storing salt with each hashed value: (stronger)
This is more secure, but means if two uses of the same value we cannot detect them by simply viewing the logs as they will have different "hashed" values
With this method, when we store the SSHA hash of "password" the first time : we generate random salt : "96cb3e0a"
odonohue@ponyta ~ $ echo "96cb3e0apassword" | openssl dgst -md5
(stdin)= 1095e9066fed434c7a47959c452e3077
we then store the salt plus hash as : "96cb3e0a" + "1095e9066fed434c7a47959c452e3077" somethign like :
{SSHA} 96cb3e0a1095e9066fed434c7a47959c452e3077
in the db.
To verify we need to get the entry, via a key, extract the "96cb3e0a" prefix, and then recalculate the hash with the hash("96cb3e0a" + newPassword ) which should then match the "1095e9066fed434c7a47959c452e3077".
But.. if we store SSHA for another user, we generate new salt for them, so we have : new random salt : 1d8529d9
odonohue@ponyta ~ $ echo "1d8529d9password" | openssl dgst -md5
(stdin)= b527b9ef9bcefbb798fea6e8e434722e
store the salt plus hash a{SSHA} "1d8529d9" + "b527b9ef9bcefbb798fea6e8e434722e"
giving {SSHA} 1d8529d9b527b9ef9bcefbb798fea6e8e434722e
So even though both users have the same password : "password" the hashes are different, and it is not possible by looking at the database or the logs to detect they are using the same password.
So for customers case, they would not be able to detect that the customer was using the same email address from viewing the logs - that may be what they want, but I suspect it is option 1) they are after.
Cheers - Mark