Currently, we salt passwords and hash them with 1000 rounds of MD5. This is pretty okay given what we reasonably have access to (although we could do better on at least some systems with `crypt()`), but modern PHP introduces `password_hash()`. On systems where we have access to it, it would be better to prefer it (roughly, it's a thin layer on top of `bcrypt`).