DISCLAIMER: All views are considered my own and you should not draw any conclusions on associates.
Hmm, I just read an article on Coding Horror about hashing, but my take away is to use passphrases. Now I'm thinking wouldn't pass phrases be easier to remember and longer than a password? Since passwords should be ideally be 12 characters or more, then instead of making up passwords that are crypto as heck, I could get a user to create a pass phrase with the account. I mean obviously, they'd need to be able to see the pass phrase before they hit login, but I think that's where I'm going towards. I mean my registration form on Excerion Games doesn't use a verify password field, but instead using a text field that transforms into a password field upon clicking out out the box. It would be easy to just make the login page do the same thing, but its probably a bad idea. I think the current way I'm doing it is fine.
Use bcrypt? I suppose that makes sense in regards to slowing down the brute forcing of data. I'll probably end up using it for data that needs to be transmitted to applications from the API.