Paul Buchheit has a blog post on this. The summary of his blog post is this: "Using a salted-hash such as MD5 or SHA-1 isn't much better. Use bcrypt."

http://paulbuchheit.blogspot.com/2007/09/quick-read-this-if-...