您甚至没有指定您正在使用的语言。我假设您使用的是Java。这很好，因为解决方案的想法对于任何其他语言都是一样的。



首先，你永远不应该把密码存储在任何地方：这是不安全的绝对不需要身份验证。 （惊讶？不同意？继续阅读...）首先，没有人应该知道原始密码，即使是完全访问密码存储的人;只有最初创建密码的人应该能够知道它;密码对其用户有一个单独的值，超出了对某个实体的保护。



这就是这个问题的解决方法：你计算加密哈希函数密码和仅存储哈希，仅比较哈希与哈希。此功能使加密不可行恢复原始密码（请记住，这不是加密）。请参阅：

http://en.wikipedia.org/wiki/Cryptographic_hash_function [ ^ ]。



您可以使用 Java.java.security.MessageDigest ：

http://docs.oracle.com/javase/7/docs/api/java/security/MessageDigest.html [ ^ ]。



更好地使用SHA-256，这是SHA-2系列的算法之一，而不是SHA-1，它被发现被破坏了。请参阅：

http://en.wikipedia.org/wiki/SHA-2 [ ^ ]，

http://en.wikipedia.org/wiki/SHA-1 [ ^ ]。



请不要以为我只需要简单的保护。这个解决方案已经很简单;它被普遍接受。如果你存储密码，你不仅可以打破一个特定的应用程序，这没关系。您可能会泄露某些人的密码，这是不可接受的。

-SA

You did not even specify the language you are using. I'll assume you are using Java. It's fine, because the idea of the solution will be the same for any other language.

First of all, you should never ever store passwords anywhere: this is unsafe and absolutely not needed for authentication. (Surprised? Disagree? Keep reading…) First of all, no one should know original passwords, even the person who has the full access to the password storage; only the person who initially created a password should be able to know it; a password has a separate value for its user, beyond its protection of certain entity.

This is how this problem is solved: you calculate the cryptographic hash function of passwords and store only hash, compare only hash with hash. This function makes it cryptographically infeasible to restore original password (remember, this is not encryption). Please see:
http://en.wikipedia.org/wiki/Cryptographic_hash_function[^].

You can use Java.java.security.MessageDigest:
http://docs.oracle.com/javase/7/docs/api/java/security/MessageDigest.html[^].

Better use SHA-256, one of the algorithms from SHA-2 family, and not SHA-1, which was found broken. Please see:
http://en.wikipedia.org/wiki/SHA-2[^],
http://en.wikipedia.org/wiki/SHA-1[^].

Please don't think "I only need simple protection". This solution is already simple; and it is commonly accepted. If you store passwords, you don't just allow to break one particular application, which would be fine. You would potentially disclose some people's passwords, that would be unacceptable.

—SA