Encrypt the password column in SQL Server 2008

I'm wondering how to encrypt my password column in SQL Server 2008. I've read this article, but I still have no ide开发者_StackOverflowa how... is there an easier to understand tutorial? Thanks!

---

The usual practice is to store a hash of the password. Like:

HASHBYTES('SHA1', convert(varbinary(32), @password))

With a hash, you can verify if the password matches, but you don't know the password itself. So even if a hacker gains complete access to your database, he still does not know the passwords.

There are many tutorials on the web.

---

You should instead consider storing hashes of passwords instead of using encryption. In case you are unaware of the differences, a hash (also called a one way hash) takes an input and produces gobbledygook (called a hash) such that for the same input the same gobbledygook is produced. Authentication works by hashing what the user entered on the client and comparing it to the gobbledygook in the db. If they match, the passwords are the same. Without getting into specifics, hashes can never be reverted back to plain text which is their protection. Encryption however involves creating a cypher such that if you have the decryption key you can revert the cypher back to plain text.

If you are using SQL Server and ASP.NET, you should look into Forms Authentication with the SqlMembershipProvider.

Explained: Forms Authentication in ASP.NET 2.0

SqlMembershipProvider Class

An Overview of Forms Authentication

---

Microsoft have made this super-easy with the snappily named

FormsAuthentication.HashPasswordForStoringInConfigFile.

http://www.adventuresindevelopment.com/2009/05/23/a-simple-way-to-hash-passwords-in-aspnet/