How can a password for a database be encrypted?

I have found a Stackoverflow answer in English that answers the question Secure hash and salt for PHP passwords .

The most voted answer says that you should not hash with SHA1, MD5 or SHA256 because modern crackers can exceed 180 billion hashes per second so it is not difficult for them to break it.

And the second most voted recommends not to write our own mechanism, but to use the PHP function password_hash(). Example of password_hash():

$pass = $_POST['password'];    
$passHash = password_hash($pass, PASSWORD_BCRYPT);

The BCRYPT algorithm will create a string of 72 characters maximum, which is different each time it is encrypted, so to check that the password entered is correct we must use the function password_verify():

password_verify($pass, $passHash)

The best option (according to the PHP manual) is to use password_hash() to encrypt the key and then retrieve it from the database using password_verify()

Although the option to include your own $salt is included in the password_hash() function, it is recommended not to use a salt and leave that to PHP, which generates one automatically and is much more secure than any type of salt that we can include on our own, in any way that occurs to us. In fact, in various parts of the PHP manual, it is strongly requested NOT to use your own salt for the keys dumped to this function, since it would weaken its strength. (In fact, in version 7 of PHP this option is already considered obsolete and will throw an error at runtime).

As for the "cost" parameter that can be added, it is an accessory security measure, but it must be taken into account depending on the server where said function is being used due to the workload on the server to create a hash of stronger key.

The suggested code is:

$opciones = [  'cost' => 12, ];

password_hash($tu_propia_clave, PASSWORD_BCRYPT, $opciones);

In general, a cost of 12 is quite safe and produces a server workload that is tolerable (as a general rule, in some cases it will be necessary to perform various tests to evaluate that the "function takes less than 100 milliseconds on interactive systems. "-SIC-). If the array containing said cost is not indicated (it must be yes or yes included in an array) its value is 10 as default value.

The example to validate the key retrieved from the DB against the one entered by a user would be something like this:

$hash_BD = $objeto_bd->valor_hash_recuperado;

if (password_verify($tu_propia_clave, $hash_BD)) {
    echo '¡La contraseña es válida!';
} else {
    echo 'La contraseña no es válida.'; 
}

As always, if you require more information, it is always better to go to the source: PHP.NET - Password_hash() function

Complementing Carlos Quiroga's answer, a good possibility is to use a dynamic salt based on the user's password. For example:

<?PHP

$user_pass =  'Mi_Pasw0rd';
$salt = md5($user_pass);
$pasword_encriptado = crypt($user_pass, $salt);

echo $pasword_encriptado;

?>

However, saving the password in the database securely is not the only thing to worry about, since you have to cover different weaknesses of possible attacks. One possibility is to use randomly created Security Tokens on the Login page to prevent CSRF-type attacks. This would be a very brief and simple example but demonstrative of what the idea is:

<HTML> <!-- Formulario de Login-->
<input name="token" id="token" type="hidden" value='<?= md5(time()); ?>'>
</HTML>

<?PHP /*Página de inicio de sesión */

/* Si las credenciales de usuario se validan se abre una sesión y */
/* se agrega el token a la variable $_SESSION .*/

$token              =   crypt($_POST['token']);
$_SESSION["token"]  =   $token;

?>

The token can be stored in the database, in the users table and be compared in a security file, the peculiarity of the token is unique per user and per session

<?PHP /*Página de control */
....
$result = $stm->fetch(PDO::FETCH_ASSOC);
$token= $result['Token'];
if ($_SESSION["token"] != $token ) {

    header("Location: login.php");
    exit();

}   

?>

This way you have an encrypted user password and a dynamic password that no one else knows.

Try:

$INSERT INTO usuarios VALUES('usuario',SHA('contraseña'));
$INSERT INTO usuarios VALUES('usuario',MD5('contraseña'));

Take a look at this link:

http://www.solingest.com/blog/store-passwords-in-mysql

What is the problem with SHA-2? Perhaps you mean that the family SHA-1is vulnerable (that's right) The recommended minimum is SHA256. But the better it is, the better security you will have. In fact, it is considered to SHA512be Saltvery safe.

test md5($var);is quite safe, you can read a little more here

http://php.net/manual/es/function.md5.php

It occurs to me that you could record a block of zeros or another character and encrypt it with the php mcrypt module and when the user enters a password the program simply checks if the block remains in the original character