1) You need to salt your passwords.
"Assume a user's secret key is stolen and he is known to use one of 200,000 English words as his password. The system uses a 32-bit salt (like md5). Because of this salt, the attacker's pre-calculated hashes are of no value. He/she must calculate the hash of each word with each of 2^32 (4,294,967,296) possible salts appended until a match is found. The total number of possible inputs can be obtained by multiplying the number of words in the dictionary with the number of possible salts:
2^{32} \times 200 000 = 8.58993459 \times 10^{14}
To complete a brute-force attack, the attacker must now compute about 800 trillion hashes, instead of only 200,000. Even though the password itself is known to be simple, the secret salt makes breaking the password radically more difficult." - http://en.wikipedia.org/wiki/Salt_(cryptography)
