以安全的方式在Sql server数据库中存储密码。

好吧，我的建议是不要通过以纯文本形式发送密码来实现忘记密码在电子邮件中。



我宁愿将忘记密码扩展为重置密码。因此，如果您忘记密码，您将*重置密码。



这是标准的，更安全的做法紧随其后。原因是，我以某种方式访问​​您的电子邮件，我说忘记了系统的密码。我不仅可以访问您的电子邮件，而且还知道您使用的TEXT PASSWORD（并且可能在其他网站中使用）。



只是想一想它！

Well, my suggestion would be not to implement the Forgot Password by sending their password as plain text in email.

I would rather extend Forgot Password as Reset Password. Thus, if you forget your password you are forced to reset your password.

And this is standard and more secure practice followed. Reason being, I get access your email somehow and I say forgot password for your system. Not only I have access your email but I also know the TEXT PASSWORD which you use (and may be using in number of other sites).

Just give a thought about it!

Forgor密码功能并不意味着向用户发送旧的纯文本密码。一点也不。实际上，这是应用程序中最容易受到攻击的一点，因为您无法控制正在发生的事情。生成一次性密码并将该密码发送给用户并强制用户更改密码是常见的方法，尽管不比发送旧密码更安全。为什么？因为只有一个通道而且涉及一个组件。



如果你想识别某个人，你有三个组件可以使用，你可以问三种问题。

您可以使用这些组件识别：

1）您拥有的东西 - 硬或软代币，智能卡，手机

2）你知道什么 - 密码，问题的答案

3）你是什么 - 生物统计数据

对于一般的网络应用程序，很难实现第三部分。不过，你剩下两个了。你应该使用这两个。



尽管如此，大多数页面只使用第二个组件，但至少它们至少使用了它的两个不同方面，如密码和秘密问题。如果您的申请不是那么重要，您也可以这样做。



这是一个很好的起点： https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet [ ^ ]，还有一些想法： http://www.securabit.com/wp-content/uploads/2010/08/self-service-password-reset_v5-1.pdf [ ^ ]

"Forgor password" functionality does not mean sending old plain text password to the user. Not at all. Actually this is the most vulnerable point in an application, since you have no control over what's happening. Generating one-time-password and sending that one to the user and forcing the user to change it is common approach, although not more secure than sending the old password. Why? Because there is only one channel and one component is involved.

If you want to identify somebody, you have three components to use, you can ask three kind of "questions".
You can be identified using these components:
1) what you have - a hard or soft token, smart card, a phone
2) what you know - a password, an answer to a question
3) what you are - biometrical data
For a general web application it is hard to implement the third component. Still, you have two left. You should use these two.

Still, most pages use only the second component, but at least they are using at least two different aspects of it, like passwords and secret questions. If your application is not that critical, you can do the same.

This is a good starting point: https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet[^], and some more thoughts here: http://www.securabit.com/wp-content/uploads/2010/08/self-service-password-reset_v5-1.pdf[^]

使用主密钥加密..

Encrypt using the master key..

-- Create database Key
USE Hassan_Web_Project_DB;
GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'Password123';
GO

-- Create self signed certificate
USE Hassan_Web_Project_DB;
GO
CREATE CERTIFICATE Certificate1
WITH SUBJECT = 'Protect Data';
GO

-- Create symmetric Key - This is used to both encrypt and decrypt our data
USE Hassan_Web_Project_DB;
GO
CREATE SYMMETRIC KEY SymmetricKey1
 WITH ALGORITHM = AES_128
 ENCRYPTION BY CERTIFICATE Certificate1;
GO

现在通过加密插入

Now insert by encrypting

INSERT INTO dbo.User_Login (User_ID, User_Name, User_Password)
VALUES (25665, 'mssqltips4', EncryptByKey( Key_GUID('SymmetricKey1'), CONVERT(varchar,'4545-58478-1245') ) )

并通过解密来选择

And select by decrypting

SELECT User_ID, User_Password AS 'Encrypted User_Password',
CONVERT(varchar, DecryptByKey(User_Password)) AS 'Decrypted User_Password'
FROM dbo.User_Login;