Pros: A complete swiss-army knife for managing password strings. I maintain a large project which requires the ability to authenticate all sorts of passwords, DES crypt, MD5, Blowfish, LDAP encodings, this module does it all.
Cons: A twisty maze of odd dependencies, all alike.
This is a very clean and consistent way of managing password strings and making them into password objects.
It's nice for testing (using cleartext passwords), upgrading (migrating from say crypt to a stronger hash), and other scenarios where the polymorphism of the api is very valuable (everything can be used the as/from stringification methods, and can be tested for password equivalence the same way, even though the representations are different).
The only problem I ran into is that it doesn't [yet] support $apr1$ style passwords (i dunno if this is the hash function or just the formatting that is missing), but aside from that it works great.