Comments by Patrick Persson (Top 1 by date)

It's good that you mention hashing with the user id since it will generate a different hash, but it will not save you if someone breaks in and copies your database. Even a mobile phone can do over 4000 hashes of SHA-1 per second, so with a good dictionary, someone could easily brute force the database over night. Although, if you mix in iterations as well, you are safer. If your database hashes the hash some 1000 times, an attacker (if the iteration count is kept safe) would spend a lot more iterations for each password before they can find a match. All in all though, good advice. :)