Well, I just spent two hours talking to the people interviewing developers at mt.gox and tradehill.
Tradehill: SHA-1 currently, looking at SHA-512. No one certified on security. Top creds repeatedly touted was one guy that developed "300 iPhone apps".
Mt.Gox: Was NOT hacked. There financial auditor had read-only access to the database and his computer was compromised. They were asked why the financial auditor had access to the data, with no response.
I was literally yelling about bcrypt, and apparently Mark (mt.gox) said that bcrypt wasn't actually very secure and that they're were going to use (1000 passes) of SHA-512.
You can't just secure the servers; you've got to secure the entire set of machines which ever connect to the servers, and all of the machines which ever touch the offline data. If your data is stolen off of a laptop or USB drive -- as an absurd amount of data has been -- it's just as stolen as if it's taken from the central server.
Tradehill: SHA-1 currently, looking at SHA-512. No one certified on security. Top creds repeatedly touted was one guy that developed "300 iPhone apps".
Mt.Gox: Was NOT hacked. There financial auditor had read-only access to the database and his computer was compromised. They were asked why the financial auditor had access to the data, with no response.
I was literally yelling about bcrypt, and apparently Mark (mt.gox) said that bcrypt wasn't actually very secure and that they're were going to use (1000 passes) of SHA-512.