Passwords MUST NOT be recovered. So you need to use hashing algorithms. The most popular are MD5 and SHA1 . I will not suggest using MD5 because it can be easily attacked, and there are many hashes generated. SHA1 is better, but it has one too. The safest is SHA256 / SHA512 (part of the SHA2 family) based on this . Although the problem with the SHA2 family is that it is very much based on SHA1. It is not broken yet, but it may soon be torn. If you have time, you can transfer one of the algorithms made for the SHA3 contest or a less well-known algorithm. If you can install extensions, then competitors of SHA3 already have PHP extensions.
A good table for the security level is on Wikipedia . And if you choose, you must “attack with a collision” with [algorithm] "and [preimage attack on [algorithm]" to see if there is an attack there (Wikipedia may be outdated).
Also, do not forget to salt. This means that you haveh $ string + "Whatever" instead of $ string.