Alpha Software Mobile Development Tools:   Alpha Anywhere    |   Alpha TransForm subscribe to our YouTube Channel  Follow Us on LinkedIn  Follow Us on Twitter  Follow Us on Facebook

Announcement

Collapse

The Alpha Software Forum Participation Guidelines

The Alpha Software Forum is a free forum created for Alpha Software Developer Community to ask for help, exchange ideas, and share solutions. Alpha Software strives to create an environment where all members of the community can feel safe to participate. In order to ensure the Alpha Software Forum is a place where all feel welcome, forum participants are expected to behave as follows:
  • Be professional in your conduct
  • Be kind to others
  • Be constructive when giving feedback
  • Be open to new ideas and suggestions
  • Stay on topic


Be sure all comments and threads you post are respectful. Posts that contain any of the following content will be considered a violation of your agreement as a member of the Alpha Software Forum Community and will be moderated:
  • Spam.
  • Vulgar language.
  • Quotes from private conversations without permission, including pricing and other sales related discussions.
  • Personal attacks, insults, or subtle put-downs.
  • Harassment, bullying, threatening, mocking, shaming, or deriding anyone.
  • Sexist, racist, homophobic, transphobic, ableist, or otherwise discriminatory jokes and language.
  • Sexually explicit or violent material, links, or language.
  • Pirated, hacked, or copyright-infringing material.
  • Encouraging of others to engage in the above behaviors.


If a thread or post is found to contain any of the content outlined above, a moderator may choose to take one of the following actions:
  • Remove the Post or Thread - the content is removed from the forum.
  • Place the User in Moderation - all posts and new threads must be approved by a moderator before they are posted.
  • Temporarily Ban the User - user is banned from forum for a period of time.
  • Permanently Ban the User - user is permanently banned from the forum.


Moderators may also rename posts and threads if they are too generic or do not property reflect the content.

Moderators may move threads if they have been posted in the incorrect forum.

Threads/Posts questioning specific moderator decisions or actions (such as "why was a user banned?") are not allowed and will be removed.

The owners of Alpha Software Corporation (Forum Owner) reserve the right to remove, edit, move, or close any thread for any reason; or ban any forum member without notice, reason, or explanation.

Community members are encouraged to click the "Report Post" icon in the lower left of a given post if they feel the post is in violation of the rules. This will alert the Moderators to take a look.

Alpha Software Corporation may amend the guidelines from time to time and may also vary the procedures it sets out where appropriate in a particular case. Your agreement to comply with the guidelines will be deemed agreement to any changes to it.



Bonus TIPS for Successful Posting

Try a Search First
It is highly recommended that a Search be done on your topic before posting, as many questions have been answered in prior posts. As with any search engine, the shorter the search term, the more "hits" will be returned, but the more specific the search term is, the greater the relevance of those "hits". Searching for "table" might well return every message on the board while "tablesum" would greatly restrict the number of messages returned.

When you do post
First, make sure you are posting your question in the correct forum. For example, if you post an issue regarding Desktop applications on the Mobile & Browser Applications board , not only will your question not be seen by the appropriate audience, it may also be removed or relocated.

The more detail you provide about your problem or question, the more likely someone is to understand your request and be able to help. A sample database with a minimum of records (and its support files, zipped together) will make it much easier to diagnose issues with your application. Screen shots of error messages are especially helpful.

When explaining how to reproduce your problem, please be as detailed as possible. Describe every step, click-by-click and keypress-by-keypress. Otherwise when others try to duplicate your problem, they may do something slightly different and end up with different results.

A note about attachments
You may only attach one file to each message. Attachment file size is limited to 2MB. If you need to include several files, you may do so by zipping them into a single archive.

If you forgot to attach your files to your post, please do NOT create a new thread. Instead, reply to your original message and attach the file there.

When attaching screen shots, it is best to attach an image file (.BMP, .JPG, .GIF, .PNG, etc.) or a zip file of several images, as opposed to a Word document containing the screen shots. Because Word documents are prone to viruses, many message board users will not open your Word file, therefore limiting their ability to help you.

Similarly, if you are uploading a zipped archive, you should simply create a .ZIP file and not a self-extracting .EXE as many users will not run your EXE file.
See more
See less

Password restricted re-use : does it work?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Password restricted re-use : does it work?

    I've done quite a bit of testing on the Security Framework option to restrict password re-use and find it not working. See image. In my tests, I have set the Restrict Re-Use to a value of 1 which is supposed to disallow re-use of the existing password. But upon trial, I can reset my password to the exiting value no problem. I have also tried setting that value to 8, and same result, I can re-use any password.

    I believe the web file that contains these settings is Project.SecuritySettings and I have made sure this file is newly published.

    Has anyone successfully used this option?
    Attached Files
    Steve Wood
    See my profile on IADN


    #2
    Re: Password restricted re-use : does it work?

    I figured part of this out. Alpha has a Change Your Password option that is built into the Login dialog. You can toggle that on in Security Framework. That method does work to restrict the password from re-use. But the method where you reset the security details from a UX component, using Action Scripting, that seems not to take restricting re-use in to account. I will turn in as a bug after more testing.

    Now, there is no way I can use Alpha's Change Your Password feature that is attached to the Login Dialog - and no one else should either. It does not use an email sent to the user to validate they are who they say they are. Same with Alpha's other password recover options. All of them are outdated. I have my own Password Reset feature that does it correctly with a confirmation email.
    Steve Wood
    See my profile on IADN

    Comment


      #3
      Re: Password restricted re-use : does it work?

      I'd like to resurrect this thread.

      Steve and I have a custom UX for login and password recovery/re-setting that uses Alpha's security functions to work with Alpha's security framework.

      But we're having a growing number of users attempting to re-set their password, entering one of the restricted password (last 4 not allowed) and moving along with apparent success. That is, until they attempt to use their "new" password that doesn't exist because the re-use restriction policy actually prevented the resetting of the password.

      The problem is there seems no way to catch this or be able to inform the user.

      When using a restricted password with a5ws_Save_WebUser_Values(), no error is produced.

      There doesn't seem to be a function we might use to check for restriction before proceeding. Something like a5ws_passwordrestricted(uservalue.userid, password).

      So, right now we just have users who thought they re-set their password, eventually figure out they did not and file a ticket with support.

      Anyone figure out how to manage this?
      -Steve
      sigpic

      Comment


        #4
        Re: Password restricted re-use : does it work?

        I worked this out for a client that wanted to restrict to not allow the last 20 password uses and will dig that up.
        Steve Wood
        See my profile on IADN

        Comment


          #5
          Re: Password restricted re-use : does it work?

          This kind of restrict just leads users to use same base password + number for example password12 and next time password13 and so on. It is the only way to survive of the current password madness in companies.

          Ken

          Comment


            #6
            Re: Password restricted re-use : does it work?

            I am using a ux component which restricts the reuse of x number of passwords. When it expires they click a change password link on the component (which they can do at any time) enter the old password, enter the new password twice and if successful they get a positive response, if it fails they get the invalid password response as set in the web security configuration. I have not seen any issues with it accepting a restricted password.
            Glen Schild



            My Blog

            Comment


              #7
              Re: Password restricted re-use : does it work?

              Ken, I totally agree (my client made me do it). It is similar to how my wife always hides the garage key in a different location each time - so as to confound the thief who might be trying to find it.
              Steve Wood
              See my profile on IADN

              Comment


                #8
                Re: Password restricted re-use : does it work?

                Glen - sounds like you're using the "out of the box" login component, or at least something much closer to the OEM than we are. We've customized quite a bit. We use a system like you see at IADN where you request to change your password, you're sent an email link, etc.
                -Steve
                sigpic

                Comment


                  #9
                  Re: Password restricted re-use : does it work?

                  I'm using a UX I made for login purposes. The password restriction is working for me. My users enter the old password and a new password twice. The button to submit is just {dialog.object}.submit();. My afterDialogValidate server-side event only has ExecuteServerSideAction("Change Web Security Password::Change_Web_Security_Password") in it. In web security configuration password restricted re-use in checked.

                  Edit: I'm not using the login component. This UX is entirely my design.
                  Mike Brown - Contact Me
                  Programmatic Technologies, LLC
                  Programmatic-Technologies.com
                  Independent Developer & Consultant​​

                  Comment


                    #10
                    Re: Password restricted re-use : does it work?

                    But Mike, no one does it that way today. Best Practice is to send an email to registered address, force them to verify, then change their password.
                    Steve Wood
                    See my profile on IADN

                    Comment


                      #11
                      Re: Password restricted re-use : does it work?

                      Originally posted by Steve Wood View Post
                      But Mike, no one does it that way today. Best Practice is to send an email to registered address, force them to verify, then change their password.
                      Of course and if my clients want that I'll make it happen. New apps I'm creating do just that but my older apps from years ago do not and those people don't want to pay for it.
                      Mike Brown - Contact Me
                      Programmatic Technologies, LLC
                      Programmatic-Technologies.com
                      Independent Developer & Consultant​​

                      Comment


                        #12
                        Re: Password restricted re-use : does it work?

                        Originally posted by Steve Workings View Post
                        Glen - sounds like you're using the "out of the box" login component, or at least something much closer to the OEM than we are. We've customized quite a bit. We use a system like you see at IADN where you request to change your password, you're sent an email link, etc.
                        Pretty much although I am just adding a email out to the user confirming that their password has just been changed. The login is on a ux component and the change password is a separate ux component.
                        Glen Schild



                        My Blog

                        Comment


                          #13
                          Re: Password restricted re-use : does it work?

                          Glen,
                          Are you using the new "context.security" methods, the old A5WS functions or the crazy Server-Side Action scripting to change the password?


                          I have switched all my stuff to the "context.security" methods, but I have put a restriction on password re-use.

                          Comment


                            #14
                            Hi Everyone.

                            Can I know how can I activate this password restriction, please? I already set it up in web security to 5. When I set up my custom UX to change the password (where the user only key in the password and confirm password ) this password restriction seems not working. Can anyone help me on how to use this password restriction in custom UX? Or is this actually a bug from alpha? I can't even see any list storing all the passwords that may be used for the password restriction in the SQL or anywhere. So I really wonder how this thing works as my client really wants these features in their product.

                            Attached is the setup that I`ve done.

                            Really hope that someone can help me with this.
                            set.png

                            set2.png
                            Attached Files

                            Comment


                              #15
                              These are all just tables exposed in your own database, it's more a permission system than a password security system, the great thing about it is, if you don't have the required permission you cannot get access to the components that require authentication. BUT the only thing preventing developers from complete control is the current encryption system option, while its true we as developers know in most cases the encryption key we don't know the algorithm so there is no moving out of the control, BUT if encryption is set to off, then developers can take it from there, the UUID etc. used by groups etc are easy to set and create outside of the security control, so if you want complete control, and have the benefits of the permissions to pages and or components then create your own defense to protect the password and then provided the tools for users to recover, email, two factor or what ever they want to do, the other issue with the current system is it sets ( and its not a criticism) encryption in the back-end ( in the developers space ), in more recent times corporations I have dealt with clients won't wear that, they want their IT to manage it so the client-side is the way to go - that's why I experimented and got a viable and secure alternative, giving the client total control permissions for when the day arrives developer leaves the room. As they say always tread you own path, but don't be afraid to see what's over he hill.

                              Pete - Stay safe.
                              Insanity: doing the same thing over and over again and expecting different results.
                              Albert Einstein, (attributed)
                              US (German-born) physicist (1879 - 1955)

                              Comment

                              Working...
                              X