问题
I want to store some passwords on my database at server.
The passwords should be recoverable, since I want to use them for a third-party api which needs the password. (So I can't use one-way methods like md5...)
What is the best method to save passwords in database? Isn't there any better way than storing plain text?
回答1:
AES is cryptographically sound and probably the most common encryption (as opposed to hashing) mechanism selected for new applications.
Take care to generate a random initialization vector (IV) for each password that you encrypt, and store the Key and the IV separately from the encrypted password bytes.
To understand differences between AES and Rijndael check out
http://blogs.msdn.com/b/shawnfa/archive/2006/10/09/the-differences-between-rijndael-and-aes.aspx
there are some differences between Rijndael and the official FIPS-197 specification for AES
You should use a unique IV per user. However, storing the key-per-user makes for a complex key management scenario. I would suggest one key for the application and an IV per user.
The IV can be saved alongside the ciphertext. The key should be stored outside of the database.
You could store the key, encrypted, in web.config. See this.
来源:https://stackoverflow.com/questions/11635798/preferred-recoverable-method-to-store-passwords-in-database