Password Attempts

[writer2000]

I want to limit password attempts to three, but I am unsure how. I am new to coding. Please help? Here is what I have so far:

Private Sub Command1_Click()
    Dim User As String
    Dim AccessLevel As Integer
    Dim TempPass As String
    Dim ID As Integer
    Dim WorkerName As String
    Dim TempLoginID As TempVar
    Dim DepartmentID As Integer

    If IsNull(Me.txtUserName) Then
        MsgBox "Please enter UserName", vbInformation, "Username Required"
        Me.txtUserName.SetFocus
    ElseIf IsNull(Me.txtPassword) Then
        MsgBox "Please enter Password", vbInformation, "Password Required"
        Me.txtPassword.SetFocus
    Else
        If (IsNull(DLookup("LoginID", "tblworker", "LoginID = '" & Me.txtUserName.Value & "' And password = '" & Me.txtPassword.Value & "'"))) Then
            MsgBox "Invalid UserName or Password!"
        Else
            TempVars!TempLoginID = Me.txtUserName.Value
            WorkerName = DLookup("[workername]", "tblworker", "[LoginID] = '" & Me.txtUserName.Value & "'")
            TempPass = DLookup("[password]", "tblworker", "[LoginID] = '" & Me.txtUserName.Value & "'")
            ID = DLookup("[workerid]", "tblworker", "[LoginID] = '" & Me.txtUserName.Value & "'")
            AccessLevel = DLookup("[UserType]", "tblworker", "[LoginID] = '" & Me.txtUserName.Value & "'")

            Dim stDocName As String
            DoCmd.SetWarnings False
            stDocName = "qryLogInTimes"
            DoCmd.OpenQuery stDocName, acNormal, acEdit
            DoCmd.SetWarnings True

            If Not IsNull(DLookup("[Deptname]", "tblworker", "[LoginID] = '" & Me.txtUserName.Value & "'")) Then
                DepartmentID = DLookup("[Deptname]", "tblworker", "[LoginID] = '" & Me.txtUserName.Value & "'")
            End If
            DoCmd.Close
            
            If (TempPass = "password") Then
                MsgBox "Please change Password", vbInformation, "New Password Required"
                DoCmd.OpenForm "frmworkerinfo", , , "[workerid] = " & ID
            Else
                DoCmd.OpenForm "NavigationF"
                Forms![NavigationF]![txtLogin] = TempVars!TempLoginID
                Forms![NavigationF]![txtUser] = WorkerName
                Forms![NavigationF]![txtSecurity] = AccessLevel
                'call security level from sub function below
                Call Security(AccessLevel, DepartmentID)
            End If
        End If
    End If
End Sub

 

[CJ_London]

I would have a new Dim i as integer

 ...
 ...
 Dim DepartmentID As Integer
[COLOR=red]Dim i as Integer[/COLOR]
  
     [COLOR=red]i=0[/COLOR]
    If IsNull(Me.txtUserName) Then
        MsgBox "Please enter UserName", vbInformation, "Username Required"
        Me.txtUserName.SetFocus
    ElseIf IsNull(Me.txtPassword) Then
        MsgBox "Please enter Password", vbInformation, "Password Required"
        Me.txtPassword.SetFocus
    Else
        If (IsNull(DLookup("LoginID", "tblworker", "LoginID = '" & Me.txtUserName.Value & "' And password = '" & Me.txtPassword.Value & "'"))) Then
           [COLOR=black] MsgBox "Invalid UserName or Password!"[/COLOR]
 [COLOR=red]            i=i+1[/COLOR]
 [COLOR=red]            if i=3 then[/COLOR]
 [COLOR=red]                msgbox "Maximum number of attempts reached", vbokonly[/COLOR]
 [COLOR=red]                docmd.quit[/COLOR]
             [COLOR=red]end if
[/COLOR]        Else

 

[spikepl]

Think twice about this. Everyone goes crazy with "security" but ultimately you just wind up with a lot of PITA instead of security. Access is not security anyway !

So after 3 attempts a cooling-off period? Or bother the systems guy? OR just give up and go home? Why not 10? What difference does it actually make? Prevents brute-force attack on an internal network, where most Access db's are? That does not make much sense, does it?

 

[writer2000]

Thank you so much for your response!!! I entered in the code, but it still isn't locking out after three attempts? It is not giving me an error of any kind. Unsure what I did wrong?

 

[writer2000]

Think twice about this. Everyone goes crazy with "security" but ultimately you just wind up with a lot of PITA instead of security. Access is not security anyway !

So after 3 attempts a cooling-off period? Or bother the systems guy? OR just give up and go home?

I see your point. Unfortunately, I have been asked to research this and implement it if possible. :banghead: haha every time I think I'm done, I am given a list of things to add. This is the first database I have ever built.

 

[spikepl]

Add the requestor's mobile phone number in the info screen after 3 failed attempts. That'll probably cure the problem pretty pronto

 

[gemma-the-husky]

in cj's code - this is the problem

Dim i as Integer
i=0

with this at the top, you start again at 0 each time. you need to set the counter OUTSIDE the login test.

 

[CJ_London]

you do - my bad

 

[writer2000]

in cj's code - this is the problem

Dim i as Integer
i=0

with this at the top, you start again at 0 each time. you need to set the counter OUTSIDE the login test.

Oh very cool! How do I set the counter outside the login test?

 

[writer2000]

I figured it out! Thank you everyone! You rock!

 

[MSAccessRookie]

Am I missing the LOOP Here? I would think the process would want to loop back to retry and count the iterations. Consider the following Pseudo-Code as a starting point.

-- Rookie

    Dim MaxFailsAllowed AS Integer
    Dim FailCount AS Integer
     Dim ValidID as Boolean
  
    MaxFailsAllowed = 3
    FailCount = 0
     ValidID =False
  
    DO WHILE (ValidID =False) And (FailCount < MaxFailsAllowed))
  
         ! User enters Username to test
         ! User enters Password to test
  
         ! Validate the User Entries
  
         ! If the Program Validates the entered ID
         !     Set ValidID =True
         ! Else
         !     FailCount=FailCount+1
         !     Clear out Invalid Values
         ! EndIf
 
    END LOOP
  
     If FailCount = MaxFailsAllowed Then 
  
         ! Exit the Procedure
  
     EndIf
  
     ! Perform additional operations related to successful entry

NOTE: I guess this is what happens when I am called away from my desk and complete a post without checking for updates first.

 

[spikepl]

MSAccessRookie - what is happening? Do you have a bad-hair day today or something?

 

[The_Doc_Man]

For what it is worth, if you are dealing with any computer system owned by the U.S. Government and the box has a security rating higher than "unclassified" then you will have some sort of "password retry" limit. It is not merely a nutsy customer requirement, it is a nutsy government regulation. Even machines marked "Sensitive but Unclassified" (sometimes also marked as "For Official Use Only" in some contexts) will have this. If it has ANY AMOUNT of Personal Identification Information (PII), it will have this requirement. Therefore, I'm not surprised to see the question.

Spikepl - if there was a way for me to do a quick tap to the head with a spiked warhammer to the government folks who mandated this, I would probably be willing to risk it even for the very brief satisfaction it would bring me. But the sad truth is that with the recent news about folks stealing OPM data to the tune of millions of personnel records, that hammer would be better used on the hackers. Therefore I take it seriously when someone says they need some sort of security measure.

writer2000 - if your Access is on a domain and if you have domain-based, password-based or smart-card based logins, you can set your Windows policy to do some of this work for you. The U.S. Government recognizes something called the Single Sign-On method in which you sign on to the most restrictive thing you have (usually the domain controller doing a RADIUS check to authenticate you or a Kerberos connection). Then establish a trust relationship between your login system and your database. If you can get away with this, it is more secure than you would probably be able to program yourself given the difficulty associated with having someone else do the unlocking. If you already have a domain infrastructure with Active Directory methods, a lot of what you need would already be in place.

I'm not trying to dissuade you from "rolling your own" security but if it is for a legit business need, talk with your boss about what I mentioned above. If you aren't re-inventing the wheel here, I'd be very surprised. If your site locks down the domain tightly enough then you can push a Group Policy template to set the workstation to do all sorts of password tests and rules for you.

If this isn't your situation, then you will have little choice but to do it yourself. Let us know which way this is going.

 

[vbaInet]

You want to do more than just increasing a counter variable. You need to save the number of attempts in a table and the date/time of each attempt and check against that record in each attempt, increment the number, update the date/time.

That way even if a user logs out and logs in after 1 or 2 attempts your verification process is still active and you can enforce a time constraint as well.

 

[spikepl]

The_Doc_Man: I'm not knocking mandated stupidity - only the voluntary kind

 

[The_Doc_Man]

Spike - I learned a long time ago that artificial intelligence cannot cope with natural stupidity, and I don't know of ANYTHING stupider than a Congressional Security Oversight committee.

 

[vbaInet]

Congressional Security Oversight committee.

Which you chair?

 

[gemma-the-husky]

after 3 fails, you can refuse to accept any password - even the right one. That'll teach 'em.

 

[writer2000]

For what it is worth, if you are dealing with any computer system owned by the U.S. Government and the box has a security rating higher than "unclassified" then you will have some sort of "password retry" limit. It is not merely a nutsy customer requirement, it is a nutsy government regulation. Even machines marked "Sensitive but Unclassified" (sometimes also marked as "For Official Use Only" in some contexts) will have this. If it has ANY AMOUNT of Personal Identification Information (PII), it will have this requirement. Therefore, I'm not surprised to see the question.

Spikepl - if there was a way for me to do a quick tap to the head with a spiked warhammer to the government folks who mandated this, I would probably be willing to risk it even for the very brief satisfaction it would bring me. But the sad truth is that with the recent news about folks stealing OPM data to the tune of millions of personnel records, that hammer would be better used on the hackers. Therefore I take it seriously when someone says they need some sort of security measure.

writer2000 - if your Access is on a domain and if you have domain-based, password-based or smart-card based logins, you can set your Windows policy to do some of this work for you. The U.S. Government recognizes something called the Single Sign-On method in which you sign on to the most restrictive thing you have (usually the domain controller doing a RADIUS check to authenticate you or a Kerberos connection). Then establish a trust relationship between your login system and your database. If you can get away with this, it is more secure than you would probably be able to program yourself given the difficulty associated with having someone else do the unlocking. If you already have a domain infrastructure with Active Directory methods, a lot of what you need would already be in place.

I'm not trying to dissuade you from "rolling your own" security but if it is for a legit business need, talk with your boss about what I mentioned above. If you aren't re-inventing the wheel here, I'd be very surprised. If your site locks down the domain tightly enough then you can push a Group Policy template to set the workstation to do all sorts of password tests and rules for you.

If this isn't your situation, then you will have little choice but to do it yourself. Let us know which way this is going.

This is for a legit business with government contracts (and deals with a lot of PII), but the situation is an interesting one. We are going from mostly paper to paperless. I am the jack of all trades at my work whose specialty is writing (books, not code haha). I was tasked with learning MS Access (I have about month under my belt now) and building a database so it can be audited by a very big company. Yea, no small task. I am on week 2 of learning visual basic and SQL. The database, surprisingly and thankfully, is up and running. However, I have a few big things I am still trying to do. Like, I have a change user password form, but I have no idea how to make it so it verifies the old password before it allows someone to enter a new password. I managed to get the attempts to enter the password to three to work, but yea, all they have to do is restart the database and they can go at it again. I also need to increase the password strength requirements and set a date expiration for the passwords. Oy. And I don't think they understand how difficult any of it is.

Don't get me wrong, I have enjoyed working on this. I installed an audit trial, a log in/out tracker, a user/password system, a working ticketing system (that works really well), and now I am finishing up installing a email alert system. I know I have to make the passwords "salt" instead of plain text, but I have to research what that means. Overall, the database works well and looks really nice. It just needs more coding in order to be finished. I know when you guys saw my code you were probably laughing at me (I'm just a novice). It's ok. I really appreciate all of your help. You guys are awesome.

 

[writer2000]

You want to do more than just increasing a counter variable. You need to save the number of attempts in a table and the date/time of each attempt and check against that record in each attempt, increment the number, update the date/time.

That way even if a user logs out and logs in after 1 or 2 attempts your verification process is still active and you can enforce a time constraint as well.

How do I tell Access to check it each time?