Delphi - authentication mechanism suggestions

Question

This question has only educational purpose. At this moment I'm making a small application on which I want to include an authentication mechanism. Application should have access to Internet when is installed, but after can work offline. Until now I've thinking of the following solutions:

1) Classic: Username and password(encrypted) sent to a authentication webservice - problems when Internet connection is down.
2) Generate a password based on motherboard/hard-disk serial no - this is generating issues when components are changed.

Also, I want to include a 'remember password' checkbox. Which is the safest way to do this? Where should I store this info?

I believe that most of you have made an authentication mechanism, more or less complex, and I'm asking for your opinion. Also, I know that everything can be hacked but I want to make it as difficult as I can.

Answer 1

Don't reinvent the wheel!

Some rules:

• authentication must be per user;
• authentication must be for a session, ie for a network connection and some given time;
• never stores a password clearly on disk, but uses a hash;
• never transmit a password over the network, but uses a hash;
• add some "salt" (ie random data) during the hashing of any value;
• try to achieve some kind of Zero-knowledge proof .

To make it simple, the server create a "challenge" for the client.

Typical implementation can be:

1. Client connect to a server, saying its user name;
2. Server check for the name, then create and send a challenge for the Client;
3. Client ask the user to enter its password, then use it to respond to the challenge;
4. Server receive the answer, then check the challenge is correct.

You can create a challenge using a good hashing algorithm (take a look at our very fast SHA-256 functions ), and follow these steps:

• The User enters its initial password, then a SHA-256 is transmitted to the server (encrypted via a fixed private key eg);
• The Server store user names/passwords hash as key/values;
• The Server create a challenge by creating a random block (using SHA-256 of some random data, including current time and others Randomize+Random values....);
• The Client hashes this random block (received from the server) with the hash of the password just entered by the user;
• The Server receives the result from the Client, compute its own version using the stored password hash of the user, and compare the two values: challenge is successful if both value are the same.

Answer 2

Depends on what you want to achieve. For instance, you might first retrieve some critical data from the server, then always store it locally, encrypted by login-password. This way no password is stored on the PC and you have to enter it to access the data.

Answer 3

那么为了记住密码，你可以在本地保存它的哈希值，这不能用于获取真正的密码...

Answer 4

You can do what browsers do using cookies and storing the password on a encrypted file or, even better, storing it to a database. Remember that you need to update the database password in case of user change it on the server. You do not need to generate the password. You can ask user to do so, and check its complexity to ensure that it is safe. And always use SSL when connection to a webservice, to ensure all data is safe to transmit.