Alpha Software Mobile Development Tools:   Alpha Anywhere    |   Alpha TransForm subscribe to our YouTube Channel  Follow Us on LinkedIn  Follow Us on Twitter  Follow Us on Facebook
Devcon 2020 Goes Virtual! LEARN MORE >

Announcement

Collapse

The Alpha Software Forum Participation Guidelines

The Alpha Software Forum is a free forum created for Alpha Software Developer Community to ask for help, exchange ideas, and share solutions. Alpha Software strives to create an environment where all members of the community can feel safe to participate. In order to ensure the Alpha Software Forum is a place where all feel welcome, forum participants are expected to behave as follows:
  • Be professional in your conduct
  • Be kind to others
  • Be constructive when giving feedback
  • Be open to new ideas and suggestions
  • Stay on topic


Be sure all comments and threads you post are respectful. Posts that contain any of the following content will be considered a violation of your agreement as a member of the Alpha Software Forum Community and will be moderated:
  • Spam.
  • Vulgar language.
  • Quotes from private conversations without permission, including pricing and other sales related discussions.
  • Personal attacks, insults, or subtle put-downs.
  • Harassment, bullying, threatening, mocking, shaming, or deriding anyone.
  • Sexist, racist, homophobic, transphobic, ableist, or otherwise discriminatory jokes and language.
  • Sexually explicit or violent material, links, or language.
  • Pirated, hacked, or copyright-infringing material.
  • Encouraging of others to engage in the above behaviors.


If a thread or post is found to contain any of the content outlined above, a moderator may choose to take one of the following actions:
  • Remove the Post or Thread - the content is removed from the forum.
  • Place the User in Moderation - all posts and new threads must be approved by a moderator before they are posted.
  • Temporarily Ban the User - user is banned from forum for a period of time.
  • Permanently Ban the User - user is permanently banned from the forum.


Moderators may also rename posts and threads if they are too generic or do not property reflect the content.

Moderators may move threads if they have been posted in the incorrect forum.

Threads/Posts questioning specific moderator decisions or actions (such as "why was a user banned?") are not allowed and will be removed.

The owners of Alpha Software Corporation (Forum Owner) reserve the right to remove, edit, move, or close any thread for any reason; or ban any forum member without notice, reason, or explanation.

Community members are encouraged to click the "Report Post" icon in the lower left of a given post if they feel the post is in violation of the rules. This will alert the Moderators to take a look.

Alpha Software Corporation may amend the guidelines from time to time and may also vary the procedures it sets out where appropriate in a particular case. Your agreement to comply with the guidelines will be deemed agreement to any changes to it.



Bonus TIPS for Successful Posting

Try a Search First
It is highly recommended that a Search be done on your topic before posting, as many questions have been answered in prior posts. As with any search engine, the shorter the search term, the more "hits" will be returned, but the more specific the search term is, the greater the relevance of those "hits". Searching for "table" might well return every message on the board while "tablesum" would greatly restrict the number of messages returned.

When you do post
First, make sure you are posting your question in the correct forum. For example, if you post an issue regarding Desktop applications on the Mobile & Browser Applications board , not only will your question not be seen by the appropriate audience, it may also be removed or relocated.

The more detail you provide about your problem or question, the more likely someone is to understand your request and be able to help. A sample database with a minimum of records (and its support files, zipped together) will make it much easier to diagnose issues with your application. Screen shots of error messages are especially helpful.

When explaining how to reproduce your problem, please be as detailed as possible. Describe every step, click-by-click and keypress-by-keypress. Otherwise when others try to duplicate your problem, they may do something slightly different and end up with different results.

A note about attachments
You may only attach one file to each message. Attachment file size is limited to 2MB. If you need to include several files, you may do so by zipping them into a single archive.

If you forgot to attach your files to your post, please do NOT create a new thread. Instead, reply to your original message and attach the file there.

When attaching screen shots, it is best to attach an image file (.BMP, .JPG, .GIF, .PNG, etc.) or a zip file of several images, as opposed to a Word document containing the screen shots. Because Word documents are prone to viruses, many message board users will not open your Word file, therefore limiting their ability to help you.

Similarly, if you are uploading a zipped archive, you should simply create a .ZIP file and not a self-extracting .EXE as many users will not run your EXE file.
See more
See less

Force New Password

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    Force New Password

    Hi all!

    Is there a way to force passwords to expire?

    First I would like to assign a default password for each new user then have the application force them to enter their own new password.

    Subsequently, I would like to set a requirement in my system for passwords to expire every 45 days and require the new password to be unique from the previous 4 passwords the user has used.

    This probably means designing my own login routine with a dataset to store the information.

    Any thoughts?

    Thanks,
    Jerry Gray
    Tags: None
    #2
    RE: Force New Password

    Jerry,

    You might do some rethinking on that.
    Though such a scheme is not uncommon it does more harm than improve security.
    The users won't like such a scheme and the biggest security leak is that passwords are written down. Even on a post-it note attached to the display.

    So the user is forced to come up with a new password and one that hasn't been used the previous 4 times. Could you remember at that point what you've used the first 3 times?
    You probably end up with just picking a random word, type some random characters or start a discussion with the nearest colleague what to use this time. You are forced to write it down to remember it. Each time the application is started you have to type it in, so it's convenient to have it in plain sight!

    You instruct the users: Pick a password that's not to obvious and remember it by heart, DON'T WRITE IT DOWN.
    They will do it once, not over and over again.

    Just my opinion on passwords.

    Jos

    Comment

      #3
      RE: Force New Password

      Jerry,

      Jos is right with his thinking about what happens in the real world. I have to work with this in win2000 so I know what he is talking about. But that does not answer your problem if this is what you have been asked to build. All you ask can be done but needs a lot of thought and code.

      You will need a table for all the Users with their passwords and dates. A Log On form which opens with the autoexec. Then you will need some code to check what has been entered against the security table. This is the tricky part and am working on it myself. So far it is not an east task.

      Regards

      Keith Hubert

      Guild Member
      London.
      Regards
      Keith Hubert
      Alpha Guild Member
      London.
      KHDB Management Systems
      Skype = keith.hubert


      For your day-to-day Needs, you Need an Alpha Database!

      Comment

        #4
        RE: Force New Password

        Hi Jerry,

        You probably need to create a couple of tables, one for basic user information with a unique identifier and a second one to store passwords and dates. Your second table could have fields such as: user_id, pw_cur, pw_1, pw_2, pw_3, pw_4, date_cur.

        You would need a log on form to start up when you open the application. You can use the autoexec or you can use the A5 built in startup form feature. I would suggest using case statements but basically your code would need to do the following:

        1) Check if user name exists in user_table; if it does not exist perhaps a dialog box instructing them to see the admin and then have Alpha close down completely denying them access. If the user name does exist you will proceed.
        2) Check the date_cur field and if "= 45 then a dialog box requesting a new password which you could assign the value to a variable. If not "=45 then compare the password entered and if valid, open that users default main menu.
        3) New password submitted: check pw_1, pw_2, pw_3, pw_4 fields and compare them with the submitted password (this is where I would probably use case statements). If they are not the same then, take the new password and write it to the pw_cur field and put the current date in the pw_cur field. Open that users default main menu. If the new password matches one of the other 4, then return a dialog explaining this and requesting a new unique password, running through that same code until a valid password is entered.

        Good luck
        Cheryl
        Cheryl
        #1 Designs By Pagecrazy
        http://pagecrazy.com/

        Comment

          #5
          RE: Force New Password

          Jos and Keith,

          My real job involves using applications based on an AS400. Every in-house system adheres to this password policy. What typically happens is a user picks a password and appends a number to it, changing the number each time they are forced to change their password. I personally would prefer the user to simply be forced to change their password without reference to previous passwords.

          Cheryl,

          I'm trying to convince them to allow reuse of passwords.

          Is there a way to programmatically call the Change Password screen? I can age their password in the startup menu and call the screen, if I can get to it.

          If I'm not successful in the reuse of passwords, I believe you are right in that using CASE will be the proper method.

          Thanks everyone for the feedback.

          Jerry

          Comment

            #6
            RE: Force New Password

            Jerry, Keith and Cheryl,

            When you're in for such a scheme and you (your client) mistrust the user on selecting a new password, why settle for just the last 3 passwords used?
            And should you indeed allow the user to set up his/her own scheme using something like jos1, jos2, jos3, jos4, jos5....?
            Shouldn't you also check the password for minimum requirements, length, common words?

            Too difficult to implement, too many tests, password tables to secure?

            No, just don't let the user choose a password, hand one out yourself!

            You need just a minimum of code to implement this, most is already present in A5.
            You simply generate a password with the RAND_STRING() function. Append a digit to it based on a formula like:
            digit = int(mod((DATE() - {1/1/2004})/45,10))
            If you don't like the digit to be at the same position everytime, you could randomize a position in the password where it is to be placed, for example:
            password = STUFF(RAND_STRING(8),9*RAND(),CHR(digit+48))

            You can use the standard password/login features of A5. The only thing you have to do is to calculate the digit the moment the user is logged in and test if it is contained in the password.
            When it isn't, the password is expired and you display a warning stating he/she will be given a new one, has to make sure no one is watching, doesn't write it down etc...
            When that dialog is closed, you present the new generated password, update the password of the user with this one. As this dialog closes you reopen the database.

            Jos

            Comment

              #7
              RE: Force New Password

              Jos,

              I'm not sure I follow you. YBut I think you...

              1. generate a digit from your function that is good for 45 days.

              2. the digit is inserted into the password and if it exists, the password is good to go, otherwise a new password is generated.

              Do I have that right?

              If so, how does that get around the issue of users writing down the random password on their desk next to the machine where everyone can see it (the real-world problem described above)?

              BTW: your sample password function is missing a parameter. I would be curious to see it you intended it.

              Peter
              Peter
              AlphaBase Solutions, LLC

               [email protected]
              https://www.alphabasesolutions.com

              Comment

                #8
                RE: Force New Password

                If you have to "roll your own" password routine to check dates and previous passwords, the current password would probably be stored in the same table (hopefully encrypted in one way or another) and calling the system password routine wouldn't do much good.

                However, if you do it in such a way that the current password is stored as an "alpha" password, you would have to write your own xdialog or other form to get the old and new password (not a big deal) then use the a5_change_user_password(user_name,pw_old,pw_new) command to actually change the password in the system once the old and new passwords have been verified. The whole routine shouldn't be more than about 50 lines using xdialog.

                Cal Locklin
                www.aimsdc.net

                Comment

                  #9
                  RE: Force New Password

                  Peter,

                  You're right, the statement should read:
                  password=STUFF(RAND_STRING(8),9*RAND(),1,CHR(digit+48))
                  I forgot to include the parameters for the number of characters to replace.

                  I think you got it right:

                  1. Generate the password which includes the calculated digit, for example "ivxjhp5n", set it in A5 and hand it out to the user.

                  2. The user has to login using this password, we let A5 do the checking whether user and password matches.

                  3. The moment the user is logged in, we calculate the digit again and check if it is contained in the password of this user. When it is we don't have to anything.

                  4. When the calculated digit of the date the user logs in isn't included, the password is expired, 45 or more days have passed since we generated it (for simplicity forgetting that the first period can be shorter).
                  We then generate a new password, hand it out, close and reopen the database so the user has to log in with the new password.

                  I can't think of any way to prevent the user from writing the password down. The only thing you could do is simply the password so it can be remembered but still is secure enough to prevent unauthorized use.

                  Jos


                  Comment

                    #10
                    RE: Force New Password

                    To all,

                    First I would like to second Jos's opinion that expiring and forcing password change is counter productive.

                    My company started off making passwords valid for 6 mos. The n changed it to 2 mos. and now it's valid for only one month. I expect soon we'll have to change every day, due to management paranoia, :(

                    So, in order to be able to remember my password 'list' (the history is 12), I store them in an inconspicuous file on my PC, and write down a 'hint' pw and put it into a drawer.

                    That being said, If you do really need to go the paranoid route :), at least make the table encrypted, otherwise, it becomes accessible to anyone that is aware of it.

                    Comment

                      #11
                      RE: Force New Password

                      Melvia,

                      They probably have to look for something like fingerprint or iris identification. And of course some device that would shut down the PC when the user is more than five feet away from it.
                      Best would be to implant a chip monitoring some critical bodely functions and sending it to the PC. It could also be used to register productivity, location and the like.
                      Propose this to your management team so they can setup a trial on themselves.

                      Jos

                      Comment

                        #12
                        RE: Force New Password

                        Password security seems to be the buzz word these days. One company system I use requires one logon for the main system and then another for a subsystem. Each is unique, must be a fixed length (diff for each), use both letters and numbers, and expires after 30 days. A password can not be reused for 1 year. A related system uses another password, but this one must include a non alphanumeric character (the others can not use non alphanumeric). A password can never be reused in that system (I wonder about that one) but doesn't expire for 90 days. The result? Nearly everyone uses their initials and the month and year for the passwords. Either that, or they write it down.

                        The same company uses additional passwords for other related systems. I don't use all of the systems much, so almost always the password becomes a single use password as it expires before I can use it again. Most people keep a list of passwords attached to their computer as it is impossible to remember them all. Some security. I have so many, I use a password program called passwordprompter that once was freeware. I can't even keep track of the different rules, let alone the actual passwords.

                        However, if that routine is required (has to be a frustrated IT person behind it), you will have to save a list of old passwords and the last change date. The easiest way to save the old passwords is to create a character field at least 4 times as long as the password field length. As a password is used, add the word to a string of words with a spce between each word. For example, you could have used three passwords already and the field might contain

                        "password1 password2 password2"

                        Using various word count functions and word search functions, it would be easy to determine if a password was in the string. When the word count was 4 or whatever and a new password was created, drop the first word (oldest saved password) and add the new one to the end of the string. Whenever the user logs on, you could compare the current date with the last change date. If the difference was over the "limit", force a new password.

                        All in all, a big pain in the --- for little security gain. But it makes some people happy and gives the illusion of security.

                        Jerry

                        Comment

                          #13
                          RE: Force New Password

                          Currently, A5 does not have a facility to force reuse of passwords, however one could code it themselves. You could write your own system quite easily using user startup scripts and the following function:

                          a5_security_option("ChangeLoginPassword")

                          This will bring up the change password dialog.

                          A better solution would be to use the 'Use Windows Logon' option and then use Windows' built-in security features.
                          Aaron Brown
                          Alpha Software Development Team

                          Comment

                            #14
                            RE: Force New Password

                            Thanks Aaron...

                            With all the feedback I think I will find a workable solution.

                            Jerry

                            Comment

                            Previous template Next
                            Working...
                            X