Attached is a patch which addresses points (a) and (b) raised by Joseph. 

This patch adds a support for a new encrypt format based on PBKDF2, and 
makes it the default for new passwords; as well as some other cleanups I 
made in an attempt to move some parts of the password parsing out of 
roundup proper, and into password.py.

The new hash has the following:

* It uses the format "{PBKDF2}<rounds>$<salt>$<digest>", with an encoding 
format adapted from what Linux's SHA512-Crypt uses, for simplicity. 
* It defaults to 10000 rounds (I would like to make this configurable via 
config.ini, but can't quite figure out how to get a hold of a config 
instance from inside encryptPassword). 
* For new passwords, it generates a random 20-byte salt (which can be 
easily increased in the future). 
* It uses a 20-byte digest to match the underlying HMAC-SHA1 prf used by 
the PBKDF2 implementation. 
* For the backend, it uses M2Crypto.EVP.pbkdf2 if available, else falls 
back to a pure-python implementation built into password.py

If this looks useful, I'm willing to take a stab writing code to migrate 
existing hashes (though I may have some questions for roundup-devel in 
that case).

- Eli