[magnetic]

I don't know what the industry actually does, but what it should probably do is use bcrypt.

https://en.wikipedia.org/wiki/Bcrypt

[marpstar]

On a project I started last year, I used SHA512 (probably overkill but who cares) and then bcrypt. Allows users to have passwords of arbitrary size with the goodness of bcrypt.

Then AES256 the result and use that. I read somewhere that's what Facebook does.