You really have to use bcrypt to hash your passwords, it was designed specifically for hashing passwords.
Hashing functions for passwords should be slow (some computational time is needed). Most hashing algorithms, such as SHA-1 and MD5, or even SHA-256, are designed to work quickly, but this makes it an easy target for brute force attacks. The finished GPU is able to calculate about 8 gigabytes of MD5 hashes per second!
Do not be afraid to use bcrypt! This applies not only to sites with a high degree of protection, but their use can be as simple as using the md5 hash. It is recommended to use a well-known library, for example phpass , and if you want to understand how it can be implemented, you can read this article , where I tried to explain the most important points.
UPDATE:
Current versions of PHP offer password_hash () and password_verify () functions to handle passwords. Use them as follows:
// Hash a new password for storing in the database. // The function automatically generates a cryptographically safe salt. $hashToStoreInDb = password_hash($password, PASSWORD_DEFAULT); // Check if the hash of the entered login password, matches the stored hash. // The salt and the cost factor will be extracted from $existingHashFromDb. $isPasswordCorrect = password_verify($password, $existingHashFromDb);