Storing passwords

In this case it seems they were using Bugzilla, which somewhere along the line went from Perl's clone of old school crypt() to a hand-rolled (inevitably) salted SHA256 hash.

So, not completely awful, but pretty bad. Not once during the long thread of comments on Bugzilla does anybody think that maybe they should see if this critical security work has already been done, properly, by someone who actually knows what they're doing... Wheel? What's that, this is my rotating movement device.