[zaphar]

There are some subtleties here that are important to know[0]. Which is why I generally advise people to use the framework provided code for this.

0: Such as use a secure hash like sha256 or blake2 instead of md5.

[angoragoats]

Yes, though I would recommend something that is resistant to timing attacks such as bcrypt. And this was why I mentioned frameworks in my last sentence. My intention wasn’t to give a comprehensive soup to nuts guide for what to do; instead i was giving a high level overview.