Geek Answers Handbook

Password Security

I need to “password protect” my application, but you need to know where to store the password safely.

How do I intend to do this:

At the first start of the program, I will ask the user to create a password. The password will be salted and hashed in SHA-256, then stored either in the registry or in a file.

Problem:

If I store a hashed password in the registry or file (or both), it would be too easy for someone to simply delete the key in the registry or in the file and ask to create a new password ...

How can I safely store a hashed password so that it is difficult to remove?

I thought about saving it to the registry, as well as creating a file with hidden and system attributes for reading with a deleted registry file, but this seems silly because it can also be easily deleted.

// Hope I posted this question correctly with the correct tags. I'm new here, so please come through !;)

All the best

Chris (Shamballa)

+7
security passwords delphi
source share
8 answers

This is basically an ethics programming problem 101. If you store information on another computer, remember that the computer is their property and they have the right to delete or modify any file or registry key on it. Trying to make it so that they cannot, is a very bad idea.

There is a good reason why you cannot do this. What happens if someone starts to post files that you cannot delete or modify on your computer? Extrapolate the logical conclusion: what happens if the virus starts to put files that you cannot delete or modify on your computer, and did it in an endless loop until the hard drive was full? You know, if it were possible, someone would try.

If you want the program to store the password somewhere where the user cannot change it, put it on your server and ask your program to contact it via the Internet connection. (This is a completely different opportunity for worms, but at least you are not trying to do impossible things or violate the basic rights of your users anymore.)

+15
source share

You did not specify which password protects. I assume that it is used to protect the data created by your program.

I am not a security expert or cryptographer, but if the data is stored locally, the solution is simple. Store both the password (or rather the password hash) and the data in one place (file, database, etc.), Encrypted with separate keys.

This prevents crawling by deleting the file. They would also delete all data. This will prevent everyone except the most specific end user.

+5
source share

You can safely store the password for the application using the Windows cryptographic API . There is an example of using CodeGuru , but it is written in C ++ and not in Delphi. The code is not too complicated, so it should be relatively easy to convert to Delphi.

A more difficult solution would be to ask the user for the password before downloading the application and insert a part of the hashed password into the binary file - of course, if you received several copies of the application, you could easily determine the location of the encrypted value and the code that checks it to remove it.

The problem is that you did not create any value due to using a password, i.e. it seems to be just a password. You must use the password as a seed to encrypt the application data and bind the password to the data. Lose your password and you will only lose data.

+4
source share

A better solution would be to rely on an external source that the user can NOT control to store part of the password. Otherwise, wherever you hide it, it is easy to spot someone with a few free tools and a little time.

Personally, I found that the best place to store such data is in clear text, as well as other data that the application often accesses. Keep in mind that if a user has access to change data, he is at risk.

If you want to block your program, it is necessary that the key already exists before your program starts. Thus, you only need to worry about how you get the key, and since it is encrypted, it will be more difficult for them to create one that works for your system.

For your initial authentication process, you can put part of the key on your web server, provide the user with the access key needed to create the encrypted file. Using the access key will lead them to the key on your server, and if it is valid, then allow them to save the encrypted file. If you are worried about reactivating, then after activating it, you can delete the file on your web server.

Another option would be to use something like OnGuard ( latest version ) to encode a time-limited key that you provide to the user. Then, when activation starts, check that the key you supplied expires or not, and if so, do not allow activation. Thus, your activation key is at risk for a limited period of time.

Do not spend a lot of time on this. Even the best algorithm can be fixed with a few NOP instructions after deploying the application.

+3
source share

There are at least two ways to interpret your question.

(1) You want to save passwords so that you can later use them to log into a remote database.

This answer in Password Encryption in Delphi explains part of the encryption.

This way you can save the password so that later it can be used to authenticate the user when entering the system using the application on the database server or something like that.

The “do not delete” part is really sensitive to users; I would not do that.

(2) You want to save the password so that it can be used to verify the user for local access to your application.

This is more difficult, because in principle you cannot.

The closest way is to save the background process, which keeps the file locked.
You contact this process to unlock the file so that you can verify the password.

- Jeroen

+1
source share

Judging by your description, you don’t understand that if you have all the security,

if not SameString(Hash(UserPassword), StoredPassword) then exit;

Then you do not have security at all, and it is not a question of the user deleting your password file. The user can simply open your exe file in any binary editor and cut out the part that performs the check:

 //if not SameString(Hash(UserPassword), StoredPassword) then exit; //Check commented out ---malicious user

You should understand that even when compiling your application, it still contains all the source code, just in assembler. You can still edit the source code, it's a little more complicated because it is now in a different language.

Therefore, if you want the user to not do something in his application, there are only two ways:

  • Protect your application and its files. Or save them on a separate server if you do not control it. Or just make it a service that only accepts a fixed set of commands.

  • Make sure that the application does not check it, but encrypts something critical with a password. Of course, an attacker can reset the password or even delete the decryption procedure altogether, but he still has to decrypt the data.

Any other solution can be circumvented; all that differs is the time and skills necessary to circumvent. For example, you can encrypt a critical part of the application code and decrypt it "on the fly" (did it once). Then execute and encrypt. Without the correct password, your application will never work.

But an attacker can install a separate copy of the application with a known password, examine the parts of the program when they are decrypted and collect them in an unencrypted source. Of course, a lot of work. But this can be done in a finite time.

+1
source share

If you need only one password, encrypt it and secure it at the end of .exe. I have done this successfully many times.

0
source share

I would suggest using authentication features in Windows, in particular CredWrite and CredRead . You could also use encryption windows (CryptProtectData / CryptProtectMemory), and then save the credentials

EDIT . If you need headers for Delphi, they are available in the Jedi Windows Api Library .

0
source share

More articles: