Good Read: Password Hashing.
by Tim O'Brien
"Most of the industry’s worst security problems (like the famously bad LANMAN hash) happened because smart developers approached security code the same way they did the rest of their code. The difference between security code and application code is, when application code fails, you find out right away. When security code fails, you find out 4 years from now, when a DVD with all your customer’s credit card and CVV2 information starts circulating in Estonia."
This post was written in response to an alarmist post that had been highly reddit'd (aren't all highly reddit'd posts alarmist?). Besides being an effective smackdown, this post is also a good survey of approaches to password hashing. There is a good pointer to SRP.
Like that CVV2 number adds any meaningful security in the first place. The first time you use it anywhere, it's out there. The one thing that makes credit cards reasonably secure is credit card owners are not held liable for fraud. So the cards themselves are not all that secure; we're just protected from the consequences when they fall into the wrong hands.