An ecommerce project I've been working on for the past couple of years has 3 layers. The DB is separate from the business logic which is separate from the web app... The BLL isn't internet accessible, and the DB isn't accessible even from the web server at all. The BLL and the web app talk to one another via an XML API.
You sound like a .Net developer, you probably are one 
BCrypt is just a bit resource intensive...
Yea better store the passwords in plaintext, that'll be a nice performance optimization.