Re: #3, you don't need to encrypt your checksum further with Blowfish. The hash function should be using a secret key that you keep on the server, so no one can generate a new valid hash without knowing that key.