أنشئ حسابًا أو سجّل الدخول للانضمام إلى مجتمعك المهني.
You need, from the beginning, to choose a best hash method to encrypt the passwords which is SHA-386. Hashing is different than encryption, hashing is only a one way function, so if you hashed the passwords, you will not retrieve them back into a text format, while encyption is a two way function and you can retrieve the passwords back into the text format if the hacker knows the encryption key.
I highly encourage one-time passwords (OTP) systems. Two-Factor authentication mechanisms should be put in place for added security. However, security practices dictates that educating users is of a mandatory requirement when it comes to compromised credentials. Before even implementing any security tool, your users (employees) must be kept trained. Users are the main source of all security issues even if you have the golden globe in information security.
There are actually many methods to secure passwords in your place. Here are few of what i remember:
1) Use OTP systems.
2) Create a password policy so that passwords expire every30 days.
3) Of course, you guessed it, create a complex combination in your passwords. In my place, i use at least passwords of10 characters long, mixed with whatever you like.
Passwords should never be stored or transmitted. After an attack or a suspicion you should reset the passwords of affected or all users. They would have to choose a new password upon the first login after the reset.
You need to email the users with a password reset link. If all users do not have emails you can SMS them the new randomly generated password. Regardless of the medium used to communicate a new random password you need to ensure that the new password has validitiy for a small duration (1-3 days) or the first login whichever is earlier. Again the users must choose a new password upon their first login.
If email and SMS are also not possible then you need to search for alternatives such as Interactive Voice Response (IVR) or the like.