I just learned that @bluehost does not hash passwords but encrypts them (and considers this best practice). recommendation: AVOID THEM