fix password encryption/storage

[rayhatfield]

i haven't studied this in detail, but it looks like we're using simple sha1 with no salt to encrypt passwords. this should be rewritten to use something reasonably secure.

[numist]

IIRC we use a salt, but regardless we should definitely be using bcrypt instead.