Usernames as is, passwords hashed with a salt. The salt is stored with the hash. It sounds counter intuitive but the idea is that if you get hacked, the hacker need to run the hash function for each one, vs use an existing dictionary. So you don't just hash it directly, you hash it with the salt. The salt is just going to be a randomly generated string that you append to the password. That string is then stored with the account so it can be reused when verifying logins. When the user logs in you then repeat the hash function on what they entered, and then compare it with DB.