Set up a dummy mysql user that does not have any rights outside of thier table, and store real users encrypted passwords in the table. Have the real password be some random variation of what the users set, and then use the pasword that the users set as the encryption key for the password in the database. You can use something like blowfish to encrypt it. By randomizing their password, you can adjust/verify the password length. That along with strong encrypton, even if some one could get the encrypted password from the database, they would have a very difficult time decrypting them. If that is not secure enough you could use 3DES + blowfish to doulble encrypt the password.....


This is what I would do anyway, because it is simple but effective.