In a recent post to his site Sherif Ramadan looks at the topic of password hashing and why most developers are (still) doing it wrong. He notes that "fixing the people" and their mindset about hashing/salting is much harder than just fixing the code.
Beyond just writing code I also have to solve some very tough problems on a regular basis. Some of which don’t stem from code at all, but from the people behind the code. Fixing code is easy for me (computers just do what I tell them to do), but fixing people proves to be a lot more challenging. Unfortunately some people are of the mindset that they aren’t wrong simply because they’ve never been proven wrong before. To some people being proven wrong goes beyond just words. Some of us are a lot more stubborn than others and so explaining something may not be enough. This is called the wisdom of humility.
He points out that even those that immediately think "rainbow tables" when they think about md5 hashing are behind the times. Most processing methods, including the use of a GPU, can be used much more effectively and don't require the overhead of the large tables. He illustrates with a "random" md5 generator that outputs around 916 million variations. With a GPU running 4k million per second, this kind of cracking won't take long. He also talks about salts and how they can help the situation - but not just append it, hash with it.
It’s usually the result of several underlying factors that people end up making poor choices about security. Some times it’s due to incompetence. Other time it’s due to politics. Whatever the reasons are they are never excusable, because there are better alternatives out there and it’s not as though they are more difficult or less available than others. So there really are no good reasons [not to do it] here.