Secure software protects users' passwords at rest. That is, unauthorized access by either an intruder or anyone having access to the storage space would not leak passwords. Password hashing is the accepted method for secure password storage. OWASP provides a comprehensive cheatsheet on secure password storage.
It is recommended to use hash algorithms with salt (a random unique value for each password) so that cracking of the hash value using brute force and rainbow tables becomes harder. Salts are stored in the same database as passwords. Reusing the salt and using short length salts are among common implementation errors. There are standard salted hash algorithms such as bcrypt and Argon2 (the winner of 2015 Password Hashing Competition) which are suitable for password hashing. In a 2019 post, Michele Preziuso discussed different attacks against password hashing algorithms (PBK2, bcrypt, scrypt, and argon2). He recommends the 'id' variant of Argon2 as well as scrypt as the most suitable choices considering different attack scenarios.
Peppering is another step toward the security of password hashes. A (cryptographic) pepper is a secret input added to the password before hashing. Unlike the salt, the pepper is not stored with the hashed password, it is usually hardcoded in the application. The pepper is an additional defense when the attacker has access to the password storage area.