Whenever I store user passes I always use a salted hash, with the salt stored in the database and unique to each user (just to make it that extra bit harder for the cracker). Using a unique hash per user means that AT MOST the cracker can get one password out of his hash table, before having to change the salt and start again. What does concern me is sites where they say “Alpha-numeric characters only”, or " Your password must be between x and y characters long" they just scream “I store my passwords in plaintext”.