[coding] Creating a Secure Login System, Part 1

Creating a secure login system is a key part of blah blah blah blah /intro.

When I was in high school, I wrote the website for the lan party I used to run.  I'm pretty sure I stored the user and password in cleartext in a mysql database, and even if I had heard of password hashing, the concept would have sounded like some unbelievable mission impossible shit.  Now that I have to implement a login system for realz, I've been reading a lot of articles, pseudo articles, and stack overflow opinions on password security.  Things are quite different now.  Hashing passwords isn't even good enough.  You need salts.  You need stretching.  You need all kinds of shit.  I thought I would take a break from learning php and mysql again to comment on some notes I've taken.

Concerning passwords:

The best password, obviously, would be a minimum of 64 characters long and include lower case letters, upper case letters, numbers, symbols, unicode characters, klingon symbols and markings from an extinct redneck dialect of elfish that fell out of use after the first age of middle earth--most of which cannot be typed with any keyboard we here possess.  Actually it would be best if the passwords included characters than cannot be typed with any keyboard.  Then no one would ever crack the passwords. 

Obviously we are going to need to salt them with a source of entropy based on two hydrogen atoms having quantum sex with either other, and OBVIOUSLY md5 and sha1 can't be used because some guys on the internet said so on stack overflow;  clearly the hashing method we should use needs to be some kind of super secure algorithm that is so new no one, anywhere, has released a builtin library for it.  Anything php supports must already have been cracked.

Of course rolling your own crypto algorithm is not a best practice.  What we should really do, therefore, is maybe we should just not let anyone log into the system at all!  Since we're an american-based company, the cunts at the NSA can just send us a secret letter and make us turn over all of our customer data anyway.
OR

We realize that there needs to be a balance between security and ease of use.  I'm actually not storing any payment data in our own system anyway, so the worse an attacker should be able to do when hacking someones account is change their membership level or cancel their account.