I would like to authenticate users of my program using a form with connection to a sql server database but I do not know if it is a secure way against unauthorized copies. Authentication will be done in a common way with username and password, the program will check the data in the database and validate access to the program.
I wonder if it's safe or do I need to take care to avoid this kind of problem?
Using Delphi XE5 and Sql Server 2012.
In these cases, it is important that not only is your program well tied to password validation in the database, but also that the password is encrypted. There are many cases in the market of large software that use such a method and until then they had no problems with crackers.
It is also interesting to insert validations in your software to see if someone is trying by brute force to perform the break of a certain password, such as determining a maximum number of simultaneous unsuccessful attempts on a given day.
In any case, the method of comparison of login and password for access is used by the vast majority of the market software developed in Delphi.
The password can not be 'raw', that is, it can not behave like the user name, being a pure string. You need to encrypt.
There are simple functions for this. Like AES, it does. However you can use hash ... sha1, md5, etc.
md5 was broken, but ... aes also breaks with brute-force. At first to study, either serves. Then you can test and hone it. Limit attempts (that would avoid the brute-force case) etc.
This is a method that can be used, as long as you do not let the password travel in full text over the network, or save it in the database.
Ideally, when capturing the user's password, encrypt it by the program and send it to the encrypted database. To validate the password at the time of login, do the same process: encrypt the password entered and send it to the database to check. If the MD5 / SHA1 is the same one saved in the DB, it frees access.
