sha1 salted, although i have lots still using md5, not a big issue, you know this is for protecting the db, it does not stop some one trying to brute force through your web form.

Nielubie wrote:

I read somewhere that md5 is not secure that someone can do a brute and get the hash opened up. Is this correct?

It is a bit of an exaggeration for a good password, and it does not matter if your users never reuse passwords, but yes.

Nielubie wrote:

I read something about SALT but have no idea what that means.

You probably want to hash the password rather than encrypt it. A salt is some value that is combined with the password to produce the final hash value. Using user specific salt values helps to prevent certain kind of attacks from being used to retrieve the passwords of your users in the event that your database is compromised.

Nielubie wrote:

What would be the best method to encrypt a password in a login system? md5, sha1

It depends. Generally, a randomly generated salt value used such as:

$hash = sha1(sha1($password) . $salt);

will suffice (assuming that your salt value is long enough), but then you might want to use newer hash algorithms available via [man]hash/man and/or apply the hash algorithm in iterations, e.g.,

$hash = sha1($password);
for ($i = 0; $i < $count; ++$i) {
    $hash = sha1($hash . $salt);
}

Yet another option would be to implement something like what is described in this paper on A Future-Adaptable Password Scheme, but... it may be overkill for your purposes.