[eluser]Dregond Rahl[/eluser]
I currently use sha256 with a salt of the config encryption key and the email address field. It seems to work quite well so far. The config key itself is random and 50 characters long. I think email address is a good field to use because it can contain characters like " . - @ _ " too.
Another thing i noticed is alot of people use "password" for the password field. I insted use Hash_1, Hash_2 and Hash_3 and such so then you can't find out if its the token for the auto login, or password, or the session key and such.
Another field you could add to the password string is the signed up timestamp.