I have written several times about the absolute necessity to properly hash passwords. The tricky part is that properly. It's a bit subtle to get it right. Happily the folks over at Defuse Security have an excellent guide that
- Tells you what to do
- Tells you what not to do
- Provides source code to proper implementations in PHP, Java, C#, and Ruby
If you're a developer tasked with the customer authentication system, be sure to read this. There's lots of good advice in it. And whatever you do, don't store the passwords in plain text. If you do, you're going to end up here and be the object of universal derision and scorn.