While Shiro's hash support is great for both password hashing and general purpose hashing, when hashing passwords, some common techniques and strategies are often used to ensure a consistently strong password management experience. These techniques are currently implemented by the application developer however, which means that 1) they have to design a secure strategy and 2) implement it themselves using Shiro's Hash mechanisms.
It'd be much nicer if Shiro provided, say, a PasswordService interface and implementations that implement what the community feels are best practices that can be used out-of-the-box so 1) and 2) don't need to be repeated on a per-app basis.
This is probably related to
SHIRO-213 as well.