How should an application store user passwords?

Never store plaintext or fast hashes (MD5/SHA). Use a slow, salted password hashing function: argon2id (preferred), scrypt, or bcrypt, with per-user random salts and tuned work factors. Add a server-side pepper if you have a secure secret store. Compare in constant time and re-hash on parameter upgrades.