(Or was it the worst? I forget...)
> 1 UOW = program for yourself
> 3 UOW = give it to someone else
> (you install, you copy, etc)
> 9 UOW = give it to local group
> (howto, platform change)
> 27 UOW = shareware/open source
> (configure/make/make install)
> 81 UOW = product
> (real docs, slick UI, support teams)
> 243 UOW = business
> (lawyers, CEO, sales, marketing)
If you can pick or control the overall authentication protocol, it would be even better to only store the s and v parameters from the Secure Remote Password (SRP) protocol. Pick a good underlying hash function H(), such as in the parent post. SRP uses some fancy zero-knowledge proof / public key algorithms (fairly interesting if you study it) to significantly reduce attack cross-sections for a much wider range of attack scenarios than just a hashed password, even when the password is weak.
Someone ought to define a way to delegate a web apps' password validation to the SSL layer of the https connection, which would then use SRP to do the validation. Find ways to make it hard for attacker to force a downgrade to less secure authentication, for example by making the browser remember what web sites have used SRP in the past, and refusing to use weaker authentication protocols for them ever again. Done well, this would also reduce vulnerability to should-not-have-been-signed fraudulent certificates.
Some ways Windows core OS could be improved:
POSIX filesystem semantics, including removing/renaming open files (continue access until closed), transition away from mandatory file locking by default, transition away from carriage returns in text files (fix notepad, start changing tools to default to leaving the carriage returns out), switch to UTF-8 encoding for unicode by default for filenames and contents (instead of 2-bytes-per-character), transition to case-sensitive filenames (when most people use GUIs instead of typing names, why have the insensitive complexity in there...), etc.
Fix it so POSIX api functions are no longer treated as bastard stepchildren - implement them in the core, and emulate others.
Include a good, standard scriptable command line interpreter by default, where it can be counted on to be installed.
I could go on for some time, but maybe you see the pattern. Summary: Keep the fancy end user GUI stuff, but fix the underlying foundation.
"Trust me. I know what I'm doing." -- Sledge Hammer