+1 for bcrypt - "ordinary" hashing algorithms were made to compute as fast as they can, which is exactly the opposite of what you will want for your system. Rainbow tables are so quick and easy to make - IIRC it currently takes only some hours to compute all MD5 hashes for passwords up to 8 characters long on a system with some good graphic cards. What you want is an algorithm which takes an up-to-date system some 10-100ms to compute a hash - bcrypt is configurable in its complexity (time to compute hash), and you should adapt the parameters every 1-2 years to increase the complexity.