Redmine

If Redmine dev's want to do that, they'd want to look into doing something like Bcrypt (http://en.wikipedia.org/wiki/Bcrypt), because of its built in salt support and it's adaptive. I'm not sure if Ruby/Rails has any tools immediately available to it but it would be nice.

Implementation/migration could be tricky though.

As for me, I run LDAP auth so not really a huge deal.

As far as I know automatic migration is impossible, all users have to reset their passwords. If are talking about password storing the point is as good security as possible.

I want to use LDAP, but now it confuses me and I don't know how to set it up.

There is no protection against brute force attack (it attacker get your passwords from database), because SHA is designed/implemented to be as fast as possible, but with brute force we want attacker to be as slow as possible.

I'd still point out that mathematically to find out a specific password for an account via brute force: SHA is fine (it's still computationally unreasonable to brute force a salted SHA password). To run all salts in a DB against a known password list however will yield me a large number of hits relatively quickly, however using password lists isn't brute forcing.

Algorithms like bcrypt and PBKDF2 combat the list of common passwords issue, by making it computationally unreasonable to run anything but the smallest common password lists against a salted DB.

While you might not call it brute forcing, when using a large dictionary it essentially is. Every second thus gained via the use of bcrypt or scrypt is a real pia for the attacker.
I wonder if this can be made into a plugin, but considering the changes it needs to make in the User model I guess it is more a candidate for a patch :-/

I have a plugin that implements some password policy rules from my ISIT dept.
One is adding a timeout after X failed login attempts.
https://github.com/go2null/redmine_account_policy

Would love to see some improvements in this area though.