Store a Password Securely

Question

I need to "password protect" my application but need advice on where to store the password securely.

How I intend to do this:

The first time the program is run, I will prompt the user to create a password. The password will be salted and hashed in SHA-256 then stored in either the Registry or a file.

The Problem:

If I store the hashed password in the registry or a file (or both) then it would be too easy for someone to just delete the Key in the Registry or the File and be prompted to create a new password...

How can I securely store the hashed password so that it makes it harder to be deleted?

I have thought about storing it in the Registry and also creating a file with the Hidden and System Attributes to read from in the event of the Registry file being deleted but this seems silly as it could also be deleted quite easy.

// I hope I have posted this question correctly with the right Tags - I am new here so please go easy! ;)

All the best

Chris (Shamballa)

Answer 1

This is basically a Programming Ethics 101 issue. If you're storing information on someone else's computer, remember that the computer is their property and they have the right to delete or modify any file or registry key on it. Trying to make it so that they can't is a very bad idea.

There's a good reason why you can't do it. What would happen if someone started putting files that you can't delete or modify on your computer? Extrapolate to the logical conclusion: What would happen if a virus started putting files that you can't delete or modify on your computer, and did so in an infinite loop until the hard drive was full? You know if it was possible, someone would try it.

If you want a program that stores a password somewhere where the user can't modify it, put it on your server and have your program contact it over an Internet connection. (Which is an entirely different can of worms, but at least you're not trying to do impossible things or violate your users' basic property rights anymore.)

Answer 2

You didn't really specify what this password is protecting. I'll assume it is used to protect the data created by your program.

I'm no security expert or cryptographer but if the data is stored locally the solution is simple. Store both the password(or more likely a hash of the password) and the data in the same place (file, DB, etc), encrypted with separate keys.

This prevents circumvention by file deletion. They'd delete all the data as well. This will thwart all but the most determined end user.

Answer 3

You can securely store a password for an application using the Windows crypto API. There is an example of it's use in CodeGuru, but it is written in C++, not Delphi. The code is not too challenging, so should be relatively easily converted to Delphi.

A more advanced solution would be to ask the user for the password before downloading the application, and embed the hashed password part of the binary - of course if you obtained multiple copies of the application you could easily determine the location of the encrypted value, and the code checking it in order to remove it.

The issue is that you have not created any value from the use of the password, i.e. it seems to just be a password on it's own. You should use the password as a seed for encrypting the application's data, and tie the password to the data. Lose the password and you lose only the data.