Do not store password as plain text Do not try to invent your own password security Do not ‘encrypt’ passwords Do not use MD5 Do not use a single site-wide salt What you should do Use a cryptographically strong hashing function like bcrypt (see PHP’s crypt() function). Use a random salt for each password. Use a slow hashing algorithm to make brute force