主要是參考「Cryptographic Right Answers」這篇給的建議：
Password handling: As soon as you receive a password, hash it using scrypt or PBKDF2 and erase the plaintext password from memory.
Do NOT store users' passwords. Do NOT hash them with MD5. Use a real key derivation algorithm. PBKDF2 is the most official standard; but scrypt is stronger.
Please keep in mind that even if YOUR application isn't particularly sensitive, your users are probably re-using passwords which they have used on other, more sensitive, websites -- so if you screw up how you store your users' passwords, you might end up doing them a lot of harm.
其中 scrypt 是作者自己發展的演算法，這邊看看就好。
如果你對密碼學這個領域並不熟，Colin Percival 這篇文章可以拿來當做起點，文章裡面告訴你，某些類型的問題會用某些工具解決。