“Most of the industry’s worst security problems (like the famously bad LANMAN hash) happened because smart developers approached security code the same way they did the rest of their code. The difference between security code and application code is, when application code fails, you find out right away. When security code fails, you find out 4 years from now, when a DVD with all your customer’s credit card and CVV2 information starts circulating in Estonia.”
This post was written in response to an alarmist post that had been highly reddit’d (aren’t all highly reddit’d posts alarmist?). Besides being an effective smackdown, this post is also a good survey of approaches to password hashing. There is a good pointer to SRP.