Web Security
I have developed many websites and web oriented features using php and javascript. Most of my work was on behalf of Ass Kickin Solutions as the lead web Developer and server administrator. Trough out my expirience I have seen many common and uncommon ways of securing a password. Bellow I share some of my expiriences. If you wish for a more detailed guide with php, Visit this page.
Database Connections
The connection to the database is very important. A standard connection to the most recent version of Oracle or MySQL is good for most builds as long as the connection is local. If the connection is to a dedicated database server then this connection should be incripted since you must send usernames and password to this server. When using php, befor you connect to the database you should ensure you utilise sanatization lib, such as intval(), on your code. Also using the PDO library will help prevent alot of sql injections. I have seen many sites that utilise a blog and a $_GET id variable and do not sanitize the id using intval() and the PDO library. This is an open door for hackers alick and I always ensure that all input is sanitize and go trough the PDO object to connect to the database.
Encription
Passwords should never be stored in plain text, they should always be Encripted using a cryptographic hash function such as the Message-Digest algorithm 5(Md5). Using an md5 plain encription is not recomended because its a vulnarable encription with many rainbow tables in existance. This should only be a conserne if the user can performe a mysql injection to get the passwords in their incripted form or get the username and password for the database. If you are currently using the most recent version of the PDO library then this should be less of a conserne for you. But the following topic should still be put in place for extra security messures.
Salt
To ensure even more security to your md5 encription you should use a salt (and pepper) to your password. Let me explain, using "Test" uses one of the 200,000 english words for his password, lets say "dummy", so when he is asked to log in the php script will md5 the password and compare it to the encripted password in the database. A salt is when you add a string befor the password, such as "E@l8`2'#qy", so now the string that is encripted is no longuer "dummy" but "E@l8`2'#qydummy". A pepper those the same this but appends the string so like "dummyE@l8`2'#qy". Now when some one finds the encripted password and finds a match in the rainbow table to "Alice56T" and enters that as a password. Usualy that would be encripted to the same thing as "E@l8`2'#qydummy" but the correct string wich is encripted is "E@l8`2'#qyAlice56T" wich is not a valid password. A salt and pepper requires the user to create a totaly new rainbow table with many more combinations to be able to crack. To add even more security you could generate a difrent salt and pepper per user wich would require the creation of a new rainbow table per each user. Needless to say this makes the password very secure and hard to crack.
Other
Other things to ensure the secury of your user is to make sure that their session can not be stolen. A seasion is stolen when a sniffer grabs the package that was being sent to the server and tells it that it comes from their computer. The sniffer now holds the session and is now loged in(if the user it stole it from was loged in) as that user. One way to stop this is to have a function set the ip address of the user when the session is started. Now every time the user views a page with that session the ip is checked against the ip of the client, if they do not match destroy the session. Other ways are to set cookies in an array of trusted ip's(such as the one they created their account from). If a user is loged in and not at a trusted ip, you destroy the seassion, ask them to log in again and answer a secret question that was set during the registration. If they log in correctly then set the ip to the trusted ip list for that user. This will also work in a database. Their are other things that can help secure your users private information, this is just a run down of standard procedure that I use during the creation of any site.