I use bcrypt to hash and store user passwords, and then again to generate unique access tokens, both of which are salted.
In the first case, I simply hash the password + a salt (one randomly generated salt per user) In the second case, I hash, with a unique and randomly generated salt, a concatenated string consisting of the user's username, their password, an autoincrementing integer (so the user can have multiple access tokens).
By including the password in these two hashes, am I making it any easier for a potential attacker with knowledge of the username and auto-incrementing integer and both hash values to guess the user's password?