Password Storage Done Right

https://crackstation.net/hashing-security.htm is a great resource on securely storing a user's password. My understanding is this:

• Use one salt per user, not one salt for all users.
• The salt should be generated using a secure random method, and its length should be the length of the hashing method.
• Append or prepend the salt to the password.
• Hash this value. Use SHA256, SHA512, RipeMD, or WHIRLPOOL. (Call this "Result A")
• Next, use key-stretching on Result A with PBKDF2 or bcrypt. (Call this "Result B")
• Finally, add a secret key to Result B, either by:
• Encrypt the hash with AES
• Include the key with the result using HMAC
• The secret key can better be kept secret if it:
• Isn't hard-coded into the app source
• Isn't included on the same DB as the passwords
• Even the above won't protect you in the event that an attacker gets full control of the system. Use an external system specifically for password validation, or use a special hardware device like  YubiHSM.

These are just my distilled notes of the article, it is actually much larger and covers more topics.