Another alternative which I sometimes use is to encrypt the password into some other form, which you then store in the database, and then you check that the entered password encrypts to the same value for verification purposes.
This means the encryption doesn't need to be 'reversible' - you never need to get the password back from the stored value, so it's no use to anyone even if they steal the data, and you can encrypt the entered password before sending that for storing or verification, so you never send plain text passwords outside your application.
If you don't need to be particularly secure, here's a bit of PHP that you could easily convert to C or VB that turns a text password into a lightly-encrypted 'long integer'.
Store the result of the function as your password in the database. Then when you want to check a password, just hash the entered text and see if the result matches what was stored. That way you never store the actual password, and it is very difficult to turn the stored value back into anything usable.
-
function hash($key) {
-
$h = 0;
-
-
for ($n = 0 ; $n < strlen($key) ; $n++) {
-
$h = (($h & 0x3FAFCF) * 131) + ord($key{$n});
-
}
-
return $h;
-
}
-
Regards,
Steve