Password hashing: bcrypt, argon2

MD5/SHA-1 obsolete. Today — modern hashing.

Why just hash isn't enough

Rainbow tables, brute force GPU.

bcrypt

Slow — brute force hard. Cost 12-14.

PHP

password_hash($pass, PASSWORD_BCRYPT).

Argon2

PHC winner. PASSWORD_ARGON2ID.

Salt

Automatic.

Pepper

In .env, not DB.

2FA

Always add.