Since there was a high profile site that got hacked which brings several people to ask what's the correct way to hash passwords. Short answer is bcrypt and make sure it starts with $2y$ (or you could use scrypt but bcrypt is more common). The reason bcrypt is the best answer is that it uses over 4 KiB for it's internal state which means that GPUs will be less useful. The only drawback of bcrypt is that passwords have a max length of 72 bytes. You could SHA256 the password first then send the hex to bcrypt, but that breaks compatibility.

There is one extra step to secure your passwords even more. You can encrypt the hash with a key that is in the source code or in a file. This way if your site falls to a SQL injection attack then the hashes are useless unless the attacker can also get the key from the source code or file.

Here's an implementation in PHP of this using AES256-CBC and bcrypt:

UPDATE: So apparently you can run commands and write files with SQL injections. So encrypting is more or less pointless unless you have your web server on a different computer/VM than your database server. Thank you Jeremi Gosney for informing me. Everything above is still valid and should be done if you have two servers/VMs (sorry target market of everyone with a website). Well besides the bcrypt(sha256(password)) thing because that breaks compatibility.