编辑

好的，我已经误解了你的问题，我以为你正在创建一个登录表单，想知道如何存储用户密码我现在明白，你只需要将数据库的密码存储在一些其他数据库。

如果不知道其他数据库的密码的人可以访问这个密码数据库，那么简单的答案是：强>不要存储它们当然，正如你所说，通过将数据库中的清除密码存储在数据库中，任何人都可以看到它们。你需要理解的是，加密它们不会以任何方式帮助。如果您加密它们，那么您的应用程序将需要能够解密它们（即，您的应用程序将需要知道密钥）。如果您的应用程序知道密钥，那么任何有权访问您的源代码的人都可以使用该密钥，然后解密存储在数据库中的密码。

什么你应该做的是将它们存储在只有那些应该知道密码有权访问的人。例如，您可以将它们存储在加密配置文件中。该文件的权限应以只有正确的操作系统用户（例如根）可以读取的方式进行设置。然后您的应用程序将从该文件中读取密码。

---

您应该在将密码保存到数据库之前进行哈希密码（理想情况下应用级）。通过散列，您可以将给定的输入字符串转换为另一个具有固定长度的字符串。生成的字符串[理想情况下]永远不会发生冲突，这意味着password123会生成一个字符串，而password1234会产生另一个完全不同的字符串。

当用户想要登录时，您再次对其提供的密码进行哈希，并将其与存储在数据库中的哈希进行比较。如果它们相等，那么密码是正确的。

如果由于某种原因，您无法在应用程序级别进行哈希，则可以使用PL / SQL的内置-in哈希函数（文档）。

请注意，如果您使用SHA512进行散列，并将其直接存储在数据库中，则仍然可以发现原始密码。要真正使您的密码安全，无人能够解密他们即使他们有访问您的数据库是通过散列密码随机盐。如果您想了解更多信息，您可以阅读 bcrypt 。

I was thinking about this particular scenario .

Suppose I have a table named db_passwords,which stores the passwords for different databases. And now I am worried that anyone can view these passwords by writing a simple selection statement . At the same time I want to have the facility to connect to a particular database from a program .

I got to know that there are oracle encryption packages which encrypts a particular column , by the help of which I can encrypt a particular column of a table and the logging to a db is done by the help of a key . But I couldn't draw a clear picture of what happens in such a scenario , like , for a particular line of a code meant to connect to a db as follow : sql > connect to "username" identified by "password " using ' db_name". In the above statement , in place of password , am I supposed to enter the key and if I enter the key will pl/sql automatically decrypt it ? Looking forward to your illustrations and insights on what exactly happens in such situations .

EDIT

Ok, I had misinterpreted your question. I thought you were creating a login form and wanted to know how to store users passwords. I now understand you simply want to store the passwords for your databases in some other database.

And well, if people that are not supposed to know the passwords for other databases have access to this "password database", then the simple answer is: don't store them there.

Of course, as you noted, by storing passwords in the clear in your DB, anyone will be able to see them. What you need to understand, though, is that encrypting them will not help in any way. If you encrypt them, then your application will need to be able to decrypt them (that is, your application will need to know the key). If your application knows the key, then anyone who has access to your source code is able to take that key and then decrypt the passwords that are stored in the database.

What you should do is store them somewhere only those who are supposed to know the passwords have access to. You can, for example, store them in an encrypted configuration file. The permissions for that file should be set in a way that only the correct OS users (the root, for example) can read it. Then your application will read the password from that file.

---

You should hash passwords before saving them to the database (ideally in the application level). By hashing, you transform a given input string into another one with a fixed length. The generated string will [ideally] never collide, meaning that "password123" will generate a string, while "password1234" will generate another one completely different.

When the user wants to log-in, you again hash the password he provided and compares it to the hash that is stored on the database. If they're equal, then the password is correct.

If, for some reason, you can't hash at the application level, you can use PL/SQL's built-in hash functions (documentation).

Please note that if you hash with, say, SHA512 and store it directly on the database, there are still ways to discover the original password. To really make your passwords secure in a way no one would be able to "decrypt" them even if they have access to your DB is by hashing the passwords with a random salt. If you want to know more about that, you can read about bcrypt.