不存储密码.如果它曾经位于磁盘上，则可能被盗.而是存储密码哈希. 使用正确的哈希算法，例如bcrypt(包含盐). /p>

编辑:OP回复说他了解上述问题.

无需将密码存储在与登录信息完全不同的表中.如果一个数据库表被破坏，则访问同一数据库中的另一个表并不是一个很大的飞跃.

如果您充分关注安全性和深度安全性，则可以考虑将用户凭据存储在与域数据完全独立的数据存储中.通常采用的一种方法是将凭据存储在LDAP目录服务器中.这也可能对您以后进行的单点登录工作有所帮助.

I'm using Mysql and I was assuming it was better to separate out a users personal information and their login and password into two different tables and then just reference them between the two.

Note : To clarify my post, I understand the techniques of securing the password (hash, salt, etc). I just know that if I'm following practices from other parts of my life (investing, data backup, even personal storage) that in the worst case scenario (comprised table or fire) that having information split among tables provides the potential to protect your additional data.

Don't store passwords. If it's ever sitting on a disk, it can be stolen. Instead, store password hashes. Use the right hashing algorithm, like bcrypt (which includes a salt).

EDIT: The OP has responded that he understands the above issue.

There's no need to store the password in a physically different table from the login. If one database table is compromised, it's not a large leap to access another table in that same database.

If you're sufficiently concerned about security and security-in-depth, you might consider storing the user credentials in a completely separate data store from your domain data. One approach, commonly done, is to store credentials in an LDAP directory server. This might also help with any single-sign-on work you do later.