First, I'm going to go out on a limb here and say that hashing passwords in the database is in general a bad practice with respect to security. You would not be protected against traffic sniffers watching traffic to the database. The only way to protect against that is to ensure your connection to the database was encrypted which generally means all other traffic to the database is going to be encrypted. It's possible to work around this, but the better solution is to have the application(s) do the hashing.
As Sam Saffron stated, you can use the Hashbytes functions to get SHA1 hashing. If you want better algorithms you would need to create a CLR procedure. Salting would involve storing a cryptographically random value for each user, then appending that value to the password and running it through Hashbytes:
Create Procedure ValidateUser
@Username nvarchar(50)
, @Password nvarchar(50)
As
Declare @PasswordSalt varbinary(256)
Set @PasswordSalt = ( Select PasswordSalt From Users Where Username = @Username )
If @PasswordSalt Is Null
-- generate a salt?
Declare @Hash varbinary(max)
Set @Hash = Hashbytes('SHA1', @PasswordSalt + Cast('|' As binary(1)) + Cast(@Password As varbinary(100))
If Exists( Select 1
From Users
Where Username = @Username
And PasswordHash = @Hash )
-- user is valid
Else
-- user is not valid
Remember that the salt should be cryptographically random so I would not recommend using NewId(). Instead, I would generate that using something like .NET's RNGCryptoServiceProvider class.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
