Let's be clear-eyed about this: we're talking about an OWASP page that says the "1-2-3" rules to do passwords well are "use SHA256", "pick a cryptographically random salt", and "iterate the hash".
Well, #1 is a suggestion that makes virtually no difference; your outcome won't be meaningfully worse if you use the (broken) MD5 algorithm than it will be if you use SHA-2.
And #2 is also a suggestion that makes virtually no difference; the (relatively unimportant) attack that "salts" blunt does not depend in any practical way on predicting salt values. Strong salt, weak salt, same deal: rainbow tables stop working, everything else still does.
Rule #3 is the only thing that matters on this page, but, of course, simply iterating your hash 64,000 times is an inferior solution to PBKDF2, bcrypt, and scrypt.
This page is a wiki, and I called it out on Twitter a day ago so the odds are some of this stuff has been "addressed"; but, I thought about taking a stab at fixing up the page and realized I'd be trying to incrementally improve that 1-2-3 advice. And, to the specific point of this thread: whatever better advice is there today, it wasn't there last week for LinkedIn or eHarmony to take advantage of.
