Yeah! Do not store them at el! easy! Lets look at some of the common ways of storing the passwords.
Hashes are insecure. Don't believe me check https://hashes.org. Pre computed hashes in a rainbow table that has map to the actual password. A lil bit secure way is to create a random salt string and combine that to hash the password. But in this case you have to store the salt along with the hashed password.
Use an established identity manager
oAuth 2, OpenID, SAML and Kerberos, KeyCloak, OpenAM, Gluu. Sometimes you have to be the provider. In that case use SRP
Secure Remote Password(SRP)
Verifier-Based key changes protcol and Standardised as well. Based on
Diffie-Hellman which is a standard protocol for key exchange(only the public keys are exchanged, no MITM attach/no phishing). Is a part of the Async Key Exchange(AKE) protocol family.
Why is it good?
- Drop in replacement, low cost and socially acceptable.
- One of the best algos for attacking SRP is not parrallelizable.(Discrete Log)
- Secure than SSH
- Can't do offline attacks.
- independent of 3rd parties, unlike(Kerberos)
- used in SSL/TLS, SAML
Now, how does it work
Registration flow without all the fussy formula's