Is authenticating users through a form with database connection safe with crackers?

Asked

Viewed 122 times

1

I would like to authenticate my program users using a form with connection to an sql server database but I don’t know if it is a safe way against unauthorized copies. The authentication will be done in a common way with username and password, the program will make a check of the data in the database and validate the access to the program.

I wonder if it is safe or need to take some care to avoid this kind of problem ?

Delphi XE5 and Sql Server 2012 usage.

  • 1

    Remember to establish "secure" connection between the application and the computer where the database is.

3 answers

2


In these cases, it is important that not only your program is tightly tied in the password validation in the database, but that the password is also encrypted. There are many cases in the market of large software that use such method and so far have had no problems with crackers.

It is also interesting to enter validations in your software to check if someone is trying by brute force to perform a certain password break, such as determining a maximum amount of simultaneous wrong attempts on a given day.

In any case, the method of comparison of login and password for access is used by the vast majority of the market software developed in Delphi.

1

The password cannot be 'raw', that is, it cannot behave like the username, being a pure string. You need to encrypt.

There are simple functions for this. As an AES, it already does. But you can use hash... sha1, md5, etc.

md5 has been broken, but... it also breaks with Ruth-force. At first for study, any one will do. Then you can do tests and improve. Limit attempts (q would avoid Brute-force case) etc.

0

It is a method that can be used, as long as you do not let the password traffic in full text through the network, or save it in the database.

Ideally, when capturing the user’s password, encrypt it by the program and send it to the encrypted database. To validate the password at login time, do the same process: encrypt the password and send it to the database to check. If the MD5/SHA1 is the same saved in the BD, free access.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.