If you’re not using bcrypt get with it or be vulnerable
Coda Hale writes:
Use bcrypt.
Why Not {MD5, SHA1, SHA256, SHA512, SHA-3, etc}?
These are all general purpose hash functions, designed to calculate a digest of huge amounts of data in as short a time as possible. This means that they are fantastic for ensuring the integrity of data and utterly rubbish for storing passwords.
A modern server can calculate the MD5 hash of about 330MB every second. If your users have passwords which are lowercase, alphanumeric, and 6 characters long, you can try every single possible password of that size in around 40 seconds.
For PHP 5.5, use password_hash(). For PHP 5.3.7 through PHP 5.4.x use the password_compat polyfill on GitHub.
Read the full article at codahale.com