The best way to not allow passwords to be compromised is to not store the password at all. Unfortunately, I've seen far too many apps that have databases with a "password" column that contains the actual password! And I'm sure you've seen web sites that, when you click the "forgot password" link, sends you an email with your actual password! This is not good. The only one who should know a password is the person who created the password.
So the first thing to do is to not store the password. Instead store a one-way hash of a password. A hash is a function that given a value, returns a new value of a fixed length that is always the same for the original value. A one-way hash is a hash that can convert text to a hash value but cannot convert the hash value back to the original text.
It just so happens that Real Studio has a one-way hash function built-in: MD5.
Given a password "frenchfries", MD5 generates this hash value (converted to hex): 8d32a4b407de20d2465467ee38def24c
Instead of storing the password, you store this hash value. To validate a password, you calculate the hash for the entered password and compare the results. If they are the same then you know the password is correct even though you do not know the actual password.
This strategy is a great start, but it has a flaw: it is susceptible to a "brute-force" attack. This is where a nefarious hacker pre-calculates hash values for large amounts of common words. This is referred to as a rainbow table. Since most people choose relatively simple passwords, they will more than likely be found in a rainbow table. If a hacker gets access to your hash value, they can then look it up in the rainbow table to see what the plain text password is.
One way to help mitigate this is to use a "salt" along with the password to create the hash. The salt is an extra value that you add to the password to generate hashes that make rainbow tables useless. You can use the same salt value for all the passwords (usually not recommended) or you can use something more specific for each password.
Creating an MD5 hash on the combination of the hash for "frenchfries" and the text "frenchfries" generates this hash: 5074614ea4d980208040c55267e81ec0
Such a value is not likely to show up in a rainbow table anywhere because it's specific to you thus limiting its general usefulness. Not to mention a hacker would actually need to figure out how you are creating your salt value before they can generate a rainbow table.
Unfortunately for LinkedIn, they were not using a salt on their stored passwords.
Using a hash with a salt works well, but you have to use a secure hashing function. It has been known for some time that MD5 is no longer a secure hashing function and is not recommended for use. Its primary problem is that it is possible for two completely different values to generate the same hash. This flaw has been used to fake security certificates among other things. You may think it does not matter much for your purposes, but there are other hashing functions that are safer to use such as SHA-1 and SHA-2.
Alas, Real Studio does not include any versions of those two hash functions, although there is a feature request for this: 7269. You do have some 3rd party options, however:
- Charles Yeomans has an SHA-1 function (written in Real Studio).
- MonkeyBread plugins has a variety of hash functions
- The e-CryptIt plugin from Einhugur has hash functions