Don't store passwords. If it's ever sitting on a disk, it can be stolen. Instead, store password hashes. Use the right hashing algorithm, like SHA256, BCryptor Saltthe hash.

不要存储密码。如果它曾经坐在磁盘上，它可能会被盗。相反，存储密码哈希。使用正确的散列算法，如SHA256、BCrypt或Salt散列。

Here are some useful links you must see:

以下是您必须查看的一些有用链接：

• How to best store user information and user login and password
• Best practices for storing database passwords
• Password Management Best Practices (soup to nuts, not just storage or generation)
• Salting Your Password: Best Practices?
• Is it ever ok to store password in plain text in a php variable or php constant?
• Fundamental difference between Hashing and Encryption algorithms
• http://www.jasypt.org/howtoencryptuserpasswords.html
• http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html
• Java - Hash algorithms - Fastest implementations
• Fast MD5 Implementation in Java
• https://security.stackexchange.com/questions/12009/definitely-safest-password-storage-scheme

• 如何最好地存储用户信息和用户登录名和密码
• 存储数据库密码的最佳实践
• 密码管理最佳实践（不只是存储或生成）
• 盐渍你的密码：最佳实践？
• 可以将密码以纯文本形式存储在 php 变量或 php 常量中吗？
• 散列和加密算法之间的根本区别
• http://www.jasypt.org/howtoencryptuserpasswords.html
• http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html
• Java - 哈希算法 - 最快的实现
• Java 中的快速 MD5 实现
• https://security.stackexchange.com/questions/12009/definely-safest-password-storage-scheme

Hope this helps.

希望这可以帮助。

Here is the algorithm I use to crypt with MD5.It returns your crypted output.

这是我使用 MD5 加密的算法。它返回您的加密输出。

   public class CryptWithMD5 {
   private static MessageDigest md;

   public static String cryptWithMD5(String pass){
    try {
        md = MessageDigest.getInstance("MD5");
        byte[] passBytes = pass.getBytes();
        md.reset();
        byte[] digested = md.digest(passBytes);
        StringBuffer sb = new StringBuffer();
        for(int i=0;i<digested.length;i++){
            sb.append(Integer.toHexString(0xff & digested[i]));
        }
        return sb.toString();
    } catch (NoSuchAlgorithmException ex) {
        Logger.getLogger(CryptWithMD5.class.getName()).log(Level.SEVERE, null, ex);
    }
        return null;


   }
}

You cannot decrypt MD5, but you can compare outputs since if you put the same string in this method it will return the same crypted output.If you want to decrypt you need to use the SHA.You will never use decription for a users password.For that always use MD5.That exception is pretty redundant.It will never throw it.When you add the password to the database, you add what this method returns.To login you compare them.

您无法解密 MD5，但您可以比较输出，因为如果您在此方法中放置相同的字符串，它将返回相同的加密输出。如果您想解密，您需要使用 SHA。您永远不会使用用户密码的描述。因为总是使用 MD5。那个异常是非常多余的。它永远不会抛出它。当你将密码添加到数据库时，你添加这个方法返回的内容。登录你比较它们。

Since logically your application and database can exist in two separate physical boxes, it is more safe an option if you encrypt your password in application layer and then move it to database.

由于逻辑上您的应用程序和数据库可以存在于两个独立的物理盒子中，如果您在应用程序层加密密码，然后将其移动到数据库，则这是一个更安全的选择。

From application design point of view you should consider encryption, hashing your password at a very early level so that from layer to layer your password doesnt move as plain string.

从应用程序设计的角度来看，您应该考虑加密，在很早的级别对您的密码进行散列处理，这样您的密码就不会像普通字符串一样在层与层之间移动。

Offtopic:

无关：

MD5 is prone to collision attack, you would consider using saltlike appending email or dynamically generated values to prevent Rainbow Table.

MD5 容易发生碰撞攻击，您可以考虑使用诸如附加电子邮件或动态生成值之类的salt来防止Rainbow Table。

definitely-safest-password-storage-scheme

绝对最安全的密码存储方案