If you want to store passwords as hashes, use $md5 instead of $hash.

If you store a password as a hash with $hash(password, 32), anyone can produce the same result with a one to five character, very-easy-to-calculate replacement. $md5 makes it much more difficult to calculate a replacement.

All this and more in the next issue of DUH! Magazine

Edit: ...and this is not a bug.

personally, i dont STORE my passwords at all.