How to implement User ID & Pwd. perfectly ?

[bzac]

How can I store the User ID & Password securly?. Can I store it in my database as it is?. How can I do Encription?.

In my appl. I have an initiial Logon screen. Now it is working with hardcoded pwd.

I want to enable/disable menu items accoding to user logged on. Admn.s can use all the options. I have created similar interface like access security(ie. User permissions & User accounts), but I don't where to store the data securly. Is it reccomended to store the data in Acces DB directly as it is?
I am using VB6/sp4, ADO 2.5, Access2000.

Thank you very much in advance.

BZac

 

[gramnez]

There are two ways to store a user/pass, if you are using a database you could store them in a table within that or if not using a db put them in the registry - I normally give the registry key an ambiguous name such as length and width or something like that. It depends on how secure you wish them to be (128 bit key encryption is probably a little over the top - but more than feasible), a very simple encryption algorythm is probably sufficient - split the password into seperatce chars, add a number, say 7 or something, to the ascii value and when you read the password in subtract the value and bobs your uncle secure password. Or you could XOR each char which seems to be a favoured method. If you do want the higher security, have a search around for "encryption", I used to have a very good 128 bit key algorythm which was freeware.

Hope this novel helps a bit
Gram 8o)

 

[Alt255]

Windows uses 128-bit encryption for it's password scheme. Why don't you just use the currently logged-in user name and password?
Put the following in a module:[tt]

Declare Function GetUserName _
Lib "advapi32.dll" Alias _
"GetUserNameA" (ByVal lpBuffer As String, _
nSize As Long) As Long

Declare Function _
WNetVerifyPassword Lib "mpr.dll" Alias _
"WNetVerifyPasswordA" (ByVal lpszPassword As String, _
ByRef pfMatch As Long) As Long

Declare Function GetWindowsLoginUserID() As String
Dim rtn As Long
Dim sBuffer As String
Dim lSize As Long

sBuffer = String$(260, Chr$(0))
lSize = Len(sBuffer)
rtn = GetUserName(sBuffer, lSize)
If rtn Then
sBuffer = Left$(sBuffer, lSize)
If InStr(sBuffer, Chr$(0)) Then
sBuffer = Left$(sBuffer, InStr(sBuffer, Chr$(0)) - 1)
End If
GetWindowsLoginUserID = sBuffer
Else
'error!
GetWindowsLoginUserID = ""
End If
End Function

Public Function VerifyWindowsLoginUserPassword(ByVal Password As String) As Boolean
Dim rtn As Long, Match As Long
rtn = WNetVerifyPassword(Password, Match)
If rtn Then
VerifyWindowsLoginUserPassword = False
Else
VerifyWindowsLoginUserPassword = (Match <> 0)
End If
End Function
[/tt]
Add two text boxes and a command button to a form (txtUserName, txtPassword and cmdOkay):
[tt]
Private Sub cmdOkay_Click()
If VerifyWindowsLoginUserPassword(txtPassword.Text) = True Then
X = MsgBox(&quot;Correct password!&quot
Else
X = MsgBox(&quot;Incorrect password!&quot;, vbCritical)
txtPassword.SetFocus
End If
End Sub

Private Sub Form_Load()
txtUserName = GetWindowsLoginUserID
txtUserName.Enabled = False
End Sub
[/tt]
Works like a champ. Let windows worry about password storage and encryption.

Alt255@Vorpalcom.Intranets.com
​

&quot;To run Visual Basic, you must have certain hardware and software installed on your computer.
• Any IBM-compatible machine with an 80286 processor or higher.
• One megabyte of memory.&quot;

Visual Basic Programmer's Guide

 

[BradB]

VB 6 SP4
When I run the following code, I get this error.

Run-Time Error'453'
can't find DLL entry point WNetVerifyPasswordA in mpr.dll

Any idea on why it isn't working?

Brad Boydston
bboydston@bertnash.org

'Code Snippet
Option Explicit

Declare Function GetUserName Lib &quot;advapi32.dll&quot; _
Alias &quot;GetUserNameA&quot; _
(ByVal lpBuffer As String, _
nSize As Long) As Long

Private Declare Function WNetVerifyPassword Lib &quot;mpr.dll&quot; _
Alias &quot;WNetVerifyPasswordA&quot; _
(ByVal lpszPassword As String, _
ByRef pfMatch As Long) As Long

Public Function GetWindowsLoginUserID() As String
Dim rtn As Long
Dim sBuffer As String
Dim lSize As Long

sBuffer = String$(260, Chr$(0))
lSize = Len(sBuffer)
rtn = GetUserName(sBuffer, lSize)
If rtn Then
sBuffer = Left$(sBuffer, lSize)

'Reformat string
If InStr(sBuffer, Chr$(0)) Then
sBuffer = Left$(sBuffer, InStr(sBuffer, Chr$(0)) - 1)
End If

GetWindowsLoginUserID = sBuffer
Else
'Error!
GetWindowsLoginUserID = &quot;&quot;
End If

End Function

Public Function VerifyWindowsLoginUserPassword(ByVal Password As String) As Boolean
Dim rtn As Long, Match As Long
rtn = WNetVerifyPassword(Password, Match)
If rtn Then
VerifyWindowsLoginUserPassword = False
Else
VerifyWindowsLoginUserPassword = (Match <> 0)
End If
End Function

 

[Alt255]

Oops... [tt]WNetVerifyPassword[/tt] isn't documented very well and I believe it is limited to Win9x.

Sorry about that. There may be an equivalent function for NT but I haven't stumbled across it yet.

I'll do some more digging.

Alt255@Vorpalcom.Intranets.com​

 

[GeekGirlau]

I've been working on an application that needs to be available both in stand-alone (laptop) mode and on the network, which means the Windows logon is of no use.

I attempted using the standard Access security, which required worked wonderfully except that in some instances, even when passing the user name and password, it kept prompting for the user to login to the database. The same process in other locations (same database) didn't prompt, but correctly passed the current user details to the database.

My solution was to remove the Access security and create a hidden table with user name, group and password. I then locked down the database for distribution by setting the AllowByPassKey property of the database to false.

Hope this helps,

Annie

 

[bzac]

Thanks everybody for your valuable responses

 

[MikeCox]

It's my understanding that one good way to protect a part of a database from certain users, and give others access is to use a one-to-one relationship. That way, you have all your sensitive information confined to one (or a few) separate table(s).

As far as password encryption, I wrote my own that works very well, and was relatively easy to write/implement. It works entirely on random numbers. First, it decides wheather to shift the characters in the password up or down. Then it chooses a random number to determine how much to shift all the characters. It opens the file where the password will be stored and writes 255 (or however many you want) randomly generated characters (random between 0 and 255), just to provide a &quot;hiding place&quot; for the encrypted password. Next, it chooses a random number that determines where in the file the encrypted password will start. Once the encrypted password is written, you'll need to write the information the decrypter is going to need in order to get the password back (shifted up or down, shifted by how many characters, where the password starts in the file, and how long the password is).

Just reverse the encryption process to get the real password back.

Here's the function I used to generate a random number between low and high:

Function Rand(low as Integer, high as Integer) as Integer
Rand = rnd * (high - low) + low
End Function
'usage:
a = rand(0, 10)
'a will be a random number between 0 and 10.

Hope this helps!

-Mike Difference between a madman and a genius:
A madman uses his genius destructively,
A genius uses his madness constructively.