Use strong password hashing

When it comes to password storage, you should really be using bcrypt or a similarly well-proven slow hashing method that includes a salt. Not all hash functions are created equal — digest hashes like MD5 are not designed for protecting passwords, but instead are designed for fast integrity verification.

Why is being fast a bad thing? Because if an attacker acquires a password hash, they can try to determine the original password by brute forcing their way through all possible passwords, checking to see if there is a match. The slower the hashing function, the longer it will take to try every possible value.

Also note that “HMAC” itself is not a hash function, but rather a way of using another hash function. Thus, something like HMAC-MD5 is still not appropriate for password hashing because it’s still effectively using MD5.

It should hopefully go without saying that you should never use reversible encryption for passwords. There is absolutely no reason why you should ever need to look up the original value of a password — if a user forgets their password, just generate a single-use token that allows them to reset their password and email them the token. (Never email actual passwords.)