Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

storing sensitive information ie passwords 3

Status
Not open for further replies.
jeffmoore64

jeffmoore64

Programmer
Mar 23, 2005
207
US
Hi,
I have a database that has some password protected forms. What I need to be able to do is to store the password somewhere and have the ability to allow the user to change it if needed. I have two versions of the application, one is using access's tables and the other is using MS-SQL server tables. I need to store the password in some relativly secure way, either in a table or in a text file. Any suggestions on the best method?
TIA
Jeff
 
Sort by date Sort by votes
Well, I think you can rule out a text file for security unless you intend to encrypt it. You can specify a "password" input mask on a table field or form control and that will cause the data to be displayed as asterisks. Not terribly secure by itself, though, because the actual values can be easily manipulated or displayed with VBA code. I'm not an expert in this area at all, but I suggest a combination of password input masks AND implementation of MS Access security on your database objects, so that only those with the right permissions can have access to sensitive data.

HTH,

Ken S.
 
Upvote 0 Downvote
Thanks for the reply,
The problem here is that the database application is going to be distributed to the general population. There for it will be difficult to administer some sort of security on the table or database. I don't need bullet proof security, just something that will stop the slightly inquisitive. I'm leaning towards a table with the password stored in it and a simple alogrithm to obsucre it.
 
Upvote 0 Downvote
Just a simple algorithm will do the trick to keep most people out. For example, you might just move each letter ahead four letters. So, the password "Awesome" would be "Eaiwsqi".

-------------------------
Just call me Captain Awesome.
 
Upvote 0 Downvote
A pretty easy way that actually provides some decent security is to encrypt the passwords using a routine such as SHA256 (easily found with a Google search). It is a type of one-way encryption that returns a 256 bit hash that represents the encrypted string. You can encrypt it, but it would take way more effort than any user is willing or able to put forth to unencrypt. When the user types in their password, you simply encrypt the entered password and check that hash against the stored hash. If they are equivalent then the password is correct.

To help this along even further, I append the username(unique for each user) to the end of the password before encrypting. This prevents two things:
- If two users happen to use the same password the hash returned will be different
- If a user gets into the table, they cannot just copy their hash into the hash of an administrator and then sign in using that admin username and their own password

This basically gets rid of all of the casual user's attempts to circumvent the password protection. Convert your file to an mde and they won't have any way of seeing the code.


If you need any more info on implementing any of this let me know,

Tom
 
Upvote 0 Downvote
Another route (or in addition to the current route) would be to use the GetSetting/SaveSettings functions to write your (their?) password data to the registry (on the user's machine).

If you data is not stored in a 'central' location, you may not need to go through the encrypt/decrypt process.

Trapped outside the box,
CMP
 
Upvote 0 Downvote
Excellent idea Caution, it wouldn't work with most of the programs I've developed because the users don't always run the program from their own machines, but I have a couple of projects where it will work very well.

Have a star!

Tom
 
Upvote 0 Downvote
Caution... The program IS being run from a central location... I'm sticking with the sha256 idea...
BTW thanks for the link JT
 
Upvote 0 Downvote
Posts thread222-535644 (VB5) and thread705-1074505 have even more takes on this subject.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AJAY0618
  • Locked
  • Question
How to pass a variable in VBA code by opening a form and storing the variable
Replies
3
Views
147
AJAY0618
AJAY0618
irethedo
  • Locked
  • Question
StrComp function- Limited Case sensitive string comparisons? 1
Replies
5
Views
93
MajP
MajP
StanJx
  • Locked
  • Question
Case Sensitive Password Check 1
Replies
7
Views
151
missinglinq
missinglinq
Shanl14
  • Locked
  • Question
Encrypting Zip Files with separate Passwords using VBA 1
Replies
3
Views
214
Andrzejek
Andrzejek
joebb3
  • Locked
  • Question
IE10 Automation: Information Bar 'Save As'?
Replies
1
Views
54
joebb3
joebb3

Part and Inventory Search

Sponsor

Back
Top