Damn, does it really not salt hashed passwords? SMF is worse than I thought.
To be fair, it sort of does. There is a password_salt field which is not used for salting the password, but is used as part of the login cookie and changes every time you log in. The passwd field itself is sha1(username + password). Why they did not at least switch to the built in password_hash php function for smf 2.x remains a mystery.
Of course talk of secure hashing is academic when you can just walk up to the server and brute force any password using the un-logged, un-rate-limited, ssi_checkPassword function which existed for years as part of smf 1.1