Basic advice for implementers

* Don't store user passwords in plain text. Anyone who gets access to the system will then have all passwords. Even if your system is never hacked by outsiders, you and other administrators should not have access to users' passwords.

* Don't email a user their password. (The only exception might be sending a new temporary password during the password recovery process, but preferably send a link they must go to, and which expires soon.)

* Don't display a user's password on the screen.

* Don't store user passwords encrypted. Anyone who gets access to the system will probably then get all the passwords, even if the decryption key is not stored somewhere on the system, which it probably is.

* Store only hashes of the passwords.

* The stores hashes should be salted so that an attacker cannot efficiently try to crack all captured password hashes and so that it's impossible to tell whether a user has the same password at two different sites, given their hashes from those 2 sites.

* The hash function should be relatively slow to compute (e.g. a few dozen hashes per second), so use an iterating hash function like bcrypt or PBKDF2 with many iterations rather than a single call to a fast hash function like MD5 or SHA256.

* Use existing hash technology that's been tested and studied by cryptologists instead of trying to make up some new scheme.

* Don't enforce a maximum password length. There is no reason to force users to use shorter weaker passwords. There is no reason the password length should matter to you since you are simply storing a fixed-length hash of the password, not the password itself.

* Don't enforce a restricted alphabet like "only alphanumeric symbols with no special characters". There is no reason to force users to use weaker passwords with smaller alphabets. Allowing any printable ASCII character from 33 "!" to 126 "~" should be normal. There is no reason to worry about "URL-unsafe" characters like < & / etc or about SQL injection attacks etc, since you are simply storing a hash of the password, not using the password in URLs or database commands etc.

* If you want or need to allow foreign letters (not at all a bad idea, especially if your users are not English speakers), know about Unicode and UTF-8 encoding.

* Take some time to research this stuff. Read classic old articles like "Password Security: A Case History" by Robert Morris and Ken Thompson and modern classics like http://codahale.com/how-to-safely-store-a-password/. Take a browse through sites like http://stackoverflow.com/questions/tagged/passwords.