Since writing the guff in the left hand column, things have moved on. Read this and ponder !
I think it's still essential to encrypt & salt your passwords. If the database gets hacked it will offer some protection. But the message has to be "make it harder for a brute force attack to succeed" as follows:
- At least 8 characters in your password, using mixed upper and lower case, numbers and symbols.
- Don't use real words as part of the password
- Don't use MD5, or SHA1 or SHA256 to encrypt passwords
So, in the table above I have added a (for PHP only of course) crypt() version of the encrypted password. This has added salt + a more costly algorithm to encrypt the password. This reduces the number of guesses a hacker can make in a given time.
I'm not talking about someone typing a password into a log on form here. I'm talking about the web site's database being hacked, so that the attacker has a list of user names and hashed passwords. The hacker is able to make billions of guesses a second in some cases.