Trick is, you should never store user password… never ever.
Now the real question is, then how to authenticate and authorize the user with password. And answer is when user enter the password, we should encrypt the password and store the hints.
So next time when user enter the password we follow the same process and compare hints, if both hints are same then password is matched, else it is wrong password.
Next question will be, what kind of hints, and how to generate these hints.
- In simple term hints are the obfuscated and fragmented form of user password.
- And very important part is hints generation process, which have to be collision resistant, means there will be very less possibility to find the data which generate same hints (like Cryptographic hashing functions).
Below is the simple checklist of password hashing and storing, which you should always keep in mind.