* Key stretching - http://en.wikipedia.org/wiki/Key_stretching - repeats the hashing/encryption operation on the plain text password thousands or millions of times to make brute forcing very slow (maybe 0.5 sec per attempt) - this is the single most important element that most systems omit. Even using SHA-512 is poor practice if it's not stretched.
* Salt - this stops the well-known rainbow table cracking attacks which can take just a second or so if the rainbow table covers the type of passwords - can be accelerated with large SSDs, search for the vendor of Ophcrack for an online test that is scarily fast. Bizarrely, even Windows 7 doesn't use salt, unlike *nix.
I find it extraordinary that so many people aren't aware of key stretching when it's so simple to implement. Any password hashing scheme that enables 'billions of operations per second' is extremely dangerous.
The stretching iterations can even be varied for each installation of a web app, making it very hard for the attacker if they are only able to retrieve the passwords via a basic SQL injection.
See http://www.openwall.com/articles/PHP-Users-Passwords for a good introduction to the concepts in the context of the excellent phpass library (adopted by Drupal and others.) It supports bcrypt, but also uses MD5, which can be quite secure with salt and enough stretching.