What is the best option to save a password securely?
The best option might change every minute. So the best bet is to update yourself constantly and look for the latest way. But generally speaking, you have two options. - Use third-party authentication. - If you have to do it yourself, follow the standard. Latest one.
Besides, you have to always look for bad behavior from your users and prepare for the worst. Don't expect your user to choose a strong and unique password and to save it only in his/her head. That is very unlikely.
Generally, these are some bad behavior to expect from a user - Users use the same password all over the place, - Users use a common password and it's likely that different users will have the same password
With those assumptions in place here are the current trends and the pros and cons of each.
Pitfall #1: Storing password as a plain text
Take the user's credentials(username and password) and save it in the database. This has some advantages. Like simply comparing username and password when the user signs in. However, this is really bad idea and incredibly insecure. Because if someone gets to your database, it means you have exposed all your user's credentials. So, avoid this method at all cost as it is irresponsible and unprofessional.
Pitfall #2: Encrypting and storing password
This might be better than pitfall #1 but it still is a really bad idea. Because encryption is like a lock. And locks are cracked and lost all the time. Hence if someone loses the encryption key or if someone cracks your it, you have lost all your critical data. Big corporations like Adobe has made this mistake. Even-worse they have saved the user's password hints plainly. That means a hacker can simply go through the large database of users and find similar hints and figure out users password and encryption key.
Pitfall #3: Hashing and storing password
A hash is a summary of a lot of data.
This will have the same problem pitfall #2 has. Once the hashing is figured out, all is lost. There is also a rainbow table. Common hashing like md5 can easily be broken.
Current recommended approach. Hashing and Salting.
A salt is a random string of character that is different for every user. When a user registers and puts their password in, you generate a random salt and combine both and hash it.