The real problem with password hash is not how secure is the algorithm but how long before it can be broken by brut force using cheap hardware.
Now that you can buy computer CPU grid on the cloud for nothing, it is a matter of time that all our SHA-256 hash be broken.
So, try BCrypt :
http://en.wikipedia.org/wiki/Bcrypt
I am not very good at math but I understand that, you can choose the strength of the amount of computation to hash your password, which amount means
time !
If today CPU can generate millions of MD5 hash per second, with BCrypt and a strength of 12 (2 at the power of 12), it takes 1 seconde on my Intel i7 quad core. With strength 13 it takes 2, with strength 14 it takes 4 and so on.
You have understood well. To generate a hash it takes at least 1 seconde. So if your passwords database were stolen, it will take 1 million more time than MD5 to bruteforce your password.
Set this strength as a configuration value and when the tomorrow computer will compute strength 14 in less than 10 milliseconds just upgrade the strength.
