All options above: do not provide reasonable protection against data theft. Having gained access to the server, I can easily access all the passwords that are stored in the "clear" form.
Correct option:
Raise your API on an external server, to which open username / password of users will be thrown off. Contacts with this server only through API, at the level: save data, start work, return work status, update data.
Then even if I get access to the main server, I will not physically be able to get the public passwords of users. The maximum that I can do is harm by deleting this data. But I can do this on the main server as well.

php.net/manual/ru/faq.passwords.php
Use what the language gives.
php.net/manual/en/function.password-hash.php

Solution: encrypt all data to access the third resource using the user's password to access your site, and do not store the password in the database.
During authorization, we decrypt the data and put it in temporary storage in memory.

you can encrypt passwords like this

CREATE OR REPLACE FUNCTION el_encrypt
(
  value text
)
RETURNS bytea
AS $BODY$
BEGIN
  RETURN pgp_pub_encrypt(value, dearmor(pg_read_file('pgpkeys/pgp-pg-el-public.key')));  
END;
$BODY$ LANGUAGE plpgsql
SECURITY DEFINER;

decipher

CREATE OR REPLACE FUNCTION el_decrypt
(
  value bytea
) RETURNS text AS 
$BODY$
BEGIN
 RETURN pgp_pub_decrypt(value, dearmor(pg_read_file('pgpkeys/pgp-pg-el-private.key')));
END;
$BODY$
LANGUAGE plpgsql
SECURITY DEFINER;

when a database dump is received, the data cannot be read without keys, the keys are stored in the file system. this is a fairly simple and relatively secure storage option. how to generate keys is in postgresql description

Do not keep in the database, but keep in the config, which is available only to combat servers.