what is the absolute most secure method for password hashing
To answer on the premise of the question: The absolute most secure will probably a composition of:
- First a Hardware Security Module, using HMAC with a secret key managed by the HSM,
- followed by hashing with the winner of the Password Hashing Competition, once that winner has been found, and has had 5-10 years of exposure to the real world and peer reviews.
Until that time, the most secure is probably:
- A HSM as above, and
- One of the good choices from the canonical answer on password hashing.
However, realistically password hashing isn't at major issue, and just hashing with any one of the 'good' solutions will more than suffice. The good solutions are:
- BCrypt,
- PBKDF2 with HMAC with SHA256 (or 512).
- And many people also consider SCrypt a strong choice, though some consider it a tad young.
For both of the above you should not roll your own composition. You should always use a mature, well tested and vetted library designed for long term password storage. Password hashing isn't only about using BCrypt or PBKDF2, you want a composition with sensible default values for character encodings, salt, iteration count/cost factors, etc.
