The reason people suggest HMAC or keyed hashes with password hashes is that they believe this foils attackers who steal password databases but not the HMAC key. Of course, that begs a question: if you have a place to store an HMAC key where attackers can't get it, why not just store the password hashes there? In reality: if you've lost your password hash database, your application has been game-overed. You don't hash passwords to further protect your own app; you do it to protect everybody else who is exposed to the inevitably shared passwords that users use.

Don't do stuff like this.