Post "moved" from Delphi Component Directory

-
Post "moved" from Delphi Component Directory

Originally shared by Frank Duchna

Hello everbody.
Could someone help me on how i can store a password in an SQL database?
Other Option would be to find out which user is connected to the database.
I want to set up a rights-management within my Software to control which parts are used and to filter data from the database.
Thanks in advance.
Frank

Comments

  1. Nicholas RingMay 13, 2014 at 1:00 AM

    Do you want to decrypt the password afterwards? If not, use the semi-standard of storing a hash (SHA-XXX - IdHashSHA.pas - 224, 256, 384, and 512 - has a number of different implementations)?

    ReplyDelete
  2. Frank DuchnaMay 13, 2014 at 1:03 AM

    Where can i get the file?

    ReplyDelete
  3. Lars FosdalMay 13, 2014 at 1:05 AM

    Frank Duchna - I moved this post here from the Delphi Component Directory.

    As Kiss Nándor pointed out under the original post, Never EVER store a password in the SQL database.

    Nicholas Ring beat me to it.  Use a non-reversible hash to create a fingerprint for the password, and store the fingerprint in the database.  When checking access, hash the given password again, and compare it to the fingerprint.

    http://en.wikipedia.org/wiki/Secure_Hash_Algorithm

    ReplyDelete
  4. Nicholas RingMay 13, 2014 at 1:06 AM

    It should be part of your Delphi installation (Indy components), otherwise http://www.indyproject.org/sockets/Download/index.en.aspx

    ReplyDelete
  5. Martin WienoldMay 13, 2014 at 1:09 AM

    It has been linked before, it's still valid and interessting:
    How NOT to Store Passwords! - Computerphile

    ReplyDelete
  6. Frank DuchnaMay 13, 2014 at 2:17 AM

    Nicholas Ring Thanks for the tip with the idHashSHA. 
    Can you maybe show me a link to an example of how to use it as well. Seems to me like I'm too "stupid" to understand. I have to let you know, that this is my first time using Hashes or encryption. Thanks

    ReplyDelete
  7. Nicholas RingMay 13, 2014 at 2:19 AM

    I hope this helps you (ignore the post, just look at the source show in the question) - http://stackoverflow.com/questions/20225940/is-tidhashsha1-hashstream-broken-in-delphi-2010

    ReplyDelete
  8. Frank DuchnaMay 13, 2014 at 4:31 AM

    Thank you Nicholas Ring . The source helped me understand how to get it done. Now I can get the RightsManagement on the way in my little program.

    ReplyDelete
  9. Nicholas RingMay 13, 2014 at 5:45 AM

    Good to hear :-) Have fun!

    ReplyDelete
  10. Nick HodgesMay 13, 2014 at 7:41 AM

    You should never store passwords in your database.  Instead, you should store a one way hash of the password, and then when the user enters the password, hash it and compare to what you did store.

    ReplyDelete
  11. Kevin McCoyMay 13, 2014 at 8:58 AM

    Most SQL server engines have built in hash functions you can call in a query. You do not need external code. However,  I strongly recommend salting your password with the user's name or login (some known-string unique to the user).  Otherwise, everyone that uses "abc123" as their password will have the same hash.  This is not cryptographically secure.  If you salt the password before hashing it, then all "abc123" passwords will have different hashes.  You salt a password by concatenating the clear text salt string with the clear text password string and then hash the result.  Don't forget to re-salt when the user tries to log in.

    ReplyDelete
  12. Frank DuchnaMay 13, 2014 at 1:12 PM

    Thanks for the great help from you all. I understood how it works and in my testapp it is implemented. Now I only have to set it up to get it working in my productive app.

    ReplyDelete

Post a Comment