A very good article from Chris Eng (Veracode), about how developers can design a strong password scheme in the applications to protect users from password theft.
Suppose that your database is stolen (hope no) is the data protected? the thiefs could revert back the passwords easily? In my lasts pentest the passwords were stored in clear texts..... so it's common practice to have the password stored in an insecure way, or even clear text.
Here is a good practice for your developers or customers:
Veracode - How to protect your users from password theft