The best practices IMO are:

• Use a hashing algorithm such as SHA256 or SHA512. MD5 is insecure now as you can reverse the hash/perform a rainbow attack.

• Use a strong salt to ensure an attacker cannot guess commonly hashed passwords if they ever gained entry to your database.

• Do not use encryption.

• Only hash the passwords, usernames and e-mails are fine as plain text.

It's only really the password that you need encrypting. Realistically, you should be both Hashing (that's what you mean when you say encoding) in an algorithm at least SHA-256 really (I'm pretty sure MD5 and SHA1 are crackable?) AND Salting your passwords to be extra safe.

Here's an answer on the preferred method of storing them: Preferred Method of Storing Passwords In Database

Usernames and emails should not be encrypted, you need them to be in plaintext, they will be more useful that way.

As for the passwords: they should ABSOLUTELY be encrypted or hashed, preferably with salt too. Up until now I used a somewhat interesting technique to do this: AES, the key for which is the password itself. So if the user makes his password to be "blabla123", then I would store it in MySQL by calling AES_ENCRYPT('blabla123', 'blabla123'). There are 2 advantages for this:

• you don't store the encryption key anywhere
• each password is encrypted using a different key. So even if you figure a key out, it will have a limit on its usefulness.

The validity is then done by encrypting what the user types and comparing the 2 values.

The password should be protected by hashing with a strong salt (either MD5 or SHA1 are fine), to prevent attack using rainbow tables.

You shouldn't hash the email address - as soon as you hash it, you're unable to use it for anything other than checking against what the user types in, so having it hashed would prevent you emailing that person. Equally the username would be best stored in plain text to let you identify that person.