@blowdart: What about using bcrypt instead of SHA for hashing passwords? Isn't SHA too fast to prevent brute-forcing all the passwords (even with salt)?