What security measures should I put in place to ensure that, were my database to be compromised, long-life access tokens could not be stolen?

A long-life access token is as good as a username and password for a particular service, but from talking to others it seems most (myself included) store access tokens in plain text. This seems to be to be just as bad as storing a password in plain text. Obviously one cannot salt & hash the token.

Ideally I'd want to encrypt them, but I'm unsure of the best way to do this, especially on an open source project.

I imagine the answer to this question is similar to one on storing payment info and PCI compliance, but I'd also ask why there isn't more discussion of this? Perhaps I'm missing something.

你只是想验证由他人提供的令牌？ 如果是的话，把它当作你将一个密码。 使用一个字节导出算法等密码基于密钥导出函数2（PBKDF2） （也描述于RFC 2898 ）10,000次迭代和存储第一20个字节左右。 当接收到令牌。 这是不可逆的实践。

你想呈现的令牌给他人身份验证？ 如果是这样，这是一个挑战，因为，如果你的应用程序可以解密或以其他方式获得访问令牌，这样可以攻击。 认为香农马克西姆，攻击者知道了系统，尤其是对于一个开源项目。

在这种情况下，最好的方法是用强算法（例如AES256）令牌安全地在不同的位置进行加密，使用强加密标准随机数生成器生成密钥和存储密钥（多个）的数据，如在权限在本例中受保护的文件在数据库外上方。 后者意味着SQL注入攻击不会透露的钥匙。