All geek questions in one place

Delphi - authentication mechanism suggestions

This question has educational goals only. I am currently creating a small application on which I want to enable the authentication mechanism. The application must have access to the Internet when installing it, but after that it can work offline. So far I have been thinking about the following solutions:

1) Classic: username and password (encrypted) sent to the authentication web service - problems when the Internet connection is unavailable.
2) Create a password based on the serial number of the motherboard / hard drive - this causes problems when changing components.

In addition, I want to enable the "remember password" checkbox. What is the safest way to do this? Where should I store this information?

I believe that most of you have made the authentication mechanism more or less complicated, and I ask for your opinion. In addition, I know that everything can be hacked, but I want to make it as difficult as possible.

+3
source share
4 answers

Do not reinvent the wheel!

Some rules:

  • authentication must be per user;
  • authentication must be for the session, that is, for the network connection and for some specified time;
  • never stores a password on disk, but uses a hash;
  • never pass the password over the network, but uses a hash;
  • add some “salt” (ie random data) while hashing any value;
  • try to carry out a proof of zero knowledge .

To make this simple, the server creates a “call” for the client.

:

  • , ;
  • , ;
  • , ;
  • , .

, ( SHA-256)

  • , SHA-256 ( , );
  • / /;
  • , ( SHA-256 , Randomize + Random values ​​....);
  • ( ) , ;
  • , , , : , .
+5

, . , , , -. , , .

+3

, , pwd...

+3

You can do what browsers use with cookies and store the password in an encrypted file or, even better, store it in a database. Remember that you need to update the database password if the user changes it on the server. You do not need to generate a password. You can ask the user to do this and check its complexity to make sure it is safe. And always use SSL when connecting to a web service to ensure the secure transfer of all data.

+2
source

Source: https://habr.com/ru/post/1786919/

More articles:


All Articles