With the recent password hash leak by LinkedIn/eHarmony, a lot of people are talking about password hashing algorithms. NopCommerce uses SHA-1 with a 5 character salt that is unique to each customer. That is much better than what LinkedIn was doing (MD5 with no salt) but it looks like even SHA-1 with salts can be brute forced in a reasonable time frame. (days)
Is there any thought of offering Bcrypt or PBKDF2? I know PBKDF2 is built in to the .net framework (Stackoverflow switched from Bcrypt to PBKDF2). The benefit of these is that it takes .3 seconds to generate a hash versus milliseconds for MD5/SHA-1. That difference isn't a big deal when you're logging in but it greatly increases the time need to crack a hash. It goes from days to thousands of years.
I was going to ask how one would handle switching hashing methods when customers are already registered and then saw that each customer has a PasswordFormatId. Awesome!