Storing passwords, a brief recap:
* 1990: Just put them into a database.
* 1995: You gotta MD5 those bro, plain-text is not good.
* 1996: I heard MD5 is no good anymore, better SHA-1 one those.
* 1997: Better add a sleep delay to slow down brute-forcing through remote connections.
* 1998: Add a salt, bro, beware of dictionary attacks. One per database should be enough.
* 2000: Sorry, I meant a unique salt per password. There is this thing called rainbow tables now.
* 2005: SHA-1 is broken too now, we need to migrate to SHA-256.
* 2010: Forget about SHA-256, we need to deal with GPU crackers now. Let's just key-stretch for now.
* 2014: Our homegrown key-stretching algorithm turned out to be a massive failure. Let's just switch to scrypt.
* 2015: OK, our data at rest is safe (for now) but our user passwords still made it to pastebin because we decrypt everything in RAM and hackers dumped everything from there.