You did not even specify the language you are using. I'll assume you are using Java. It's fine, because the idea of the solution will be the same for any other language.
First of all, you should never ever store passwords anywhere: this is unsafe and absolutely not needed for authentication. (Surprised? Disagree? Keep reading…) First of all, no one should know original passwords, even the person who has the full access to the password storage; only the person who initially created a password should be able to know it; a password has a separate value for its user, beyond its protection of certain entity.
This is how this problem is solved: you calculate the
cryptographic hash function of passwords and store only hash, compare only hash with hash. This function makes it
cryptographically infeasible to restore original password (remember, this is not encryption). Please see:
http://en.wikipedia.org/wiki/Cryptographic_hash_function[
^].
You can use
Java.java.security.MessageDigest:
http://docs.oracle.com/javase/7/docs/api/java/security/MessageDigest.html[
^].
Better use SHA-256, one of the algorithms from SHA-2 family, and not SHA-1, which was found broken. Please see:
http://en.wikipedia.org/wiki/SHA-2[
^],
http://en.wikipedia.org/wiki/SHA-1[
^].
Please don't think "I only need simple protection". This solution is already simple; and it is commonly accepted. If you store passwords, you don't just allow to break one particular application, which would be fine. You would potentially disclose some people's passwords, that would be unacceptable.
—SA
Submit an article or tip