How should I store user passwords in my web app database the right way?
Context
Building a small web app (Python/Flask with PostgreSQL) that has its own email + password signup. Currently the prototype saves the raw password string into a password column, which I know is wrong.
Expected
A stored credential should be useless to an attacker even if the whole database leaks, while still letting legitimate users log in.
What Happened
Passwords are stored in plain text. I've read conflicting advice about MD5, SHA-256, salts, bcrypt, and Argon2 and don't know which approach is actually current best practice.
Question comments
Short clarifications and small follow-ups about the question itself.