The 8 Commandments for Securing Your Users' Passwords
1) People re-use passwords - if your database is stolen your users' Hotmail, Facebook, and banking passwords could be at risk.
2) Passwords should never be stored in a database in plain text - don't trust your administrators!
3) Simply storing the hash of the password is not enough - rainbow table attacks can decode your password table!
4) Append salt (random data) to your passwords before hashing - generate a unique salt per user and store in a separate table
5) MD5 and SHA1 are now broken and useless as secure hashes - use SHA-512
6) Do not apply salt and hash on the client before authenticating - this is vulnerable to man-in-the-middle attack
7) Send the password in plaintext over an SSL connection to prevent password sniffing
8) To check the password, look up the user's salt, append to password, hash it, and compare against the stored secure password