Currently, passwords are hashed using a configurable algorithm, salt, and iteration. This is fine, but the standard PBKDF2 is not supported currently, as we use our own algorithm to combine the salt and password and then iterate.
I would like to add support for the PBKDF2 standard, which is used in WPA, WPA2, iOS, Android, and so on. See also:
The implementation of the most common combination, PBKDF2 with HMAC SHA-1, is already included in Java 6, so we would just have to make use of it. Unfortunately, SHA-256 is not supported yet as far as I see.