From personal experience,
Quote (waraholic @ Aug 26 2017 12:44pm)
Don't ever send the password over http or https. Don't ever save the password in your database. You should be saving a hash of the password in your database and you should be using SHA256 or higher to hash. You hash the password client side before sending it over https. You then verify it against the hash you have in your DB. This way if the traffic is intercepted or your database is compromised the attacker doesn't get the password.
edit: This is a pretty good guide as what to do and what not to do:
https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/This is probably best for security