> In fact, I use HMAC for my password databases, too. It’s overkill, but it lets me use a standard library that likely makes me safer in the long run.

Actually, it's underkill. HMAC is too easy to crack to be used as a password hashing scheme.

http://security.stackexchange.com/questions/16809/is-a-hmac-...

http://security.stackexchange.com/questions/3165/hmac-why-no...