Password Policy

[Always_Learning]

Hi There,

I Have taken over an Access program and I have been asked to create a password policy in the program.
There is already a login screen but this just checks the credentials against a MS Sql database.

I need the password policy to be a bit like the windows policy where a user is prompted to change their password after x number of days, the user cannot use a password they have already used in the past, must contain uppercase lowercase numeric and special characters etc.

Does anyone know of any templates or anything that can give me a head start on this?

Thanks for your help.

Best Regards,

 

[Always_Learning]

Anyone got any ideas about this?

 

[bob fitz]

Have you tried searching the sample databases of this forum

 

[RainLover]

Always

This is very complicated. First check the archives as some one may have created a sample.

You need to accept that Access is not strong when it comes to this type of protection.

If you wish to proceed I will give you some advice in little pieces at a time.

As a starter search for the code that will hide/disable all of the toolbars. Then install that. Once installed see if you can break it. There are a few different ways of doing this so I will leave the choice up to you and Google.

Finally you do not display what version of access you are using.Also knowing your Location can at times be helpful. We don't need your address just your Location. Things work differently between the United Kingdom and Mexico. I think one uses Pounds Shillings and Pence and the other Peso.

If you can use Access 2003 then that would be helpful to a lot of the old timers here. We cannot afford to purchase every update.

 

[RainLover]

Bob

I was slow in writing so you beat me. I will let you help with this easy problem.

 

[bob fitz]

I think one uses Pounds Shillings and Pence and the other Peso.

Rain, time you paid us a visit. FYI Did away with shillings and 240 pennies in the pound back in the 1970's. Now have no shillings just 100 "new" pence in the pound.

 

[Always_Learning]

Hi There,
Thanks for your replies.

Access 2007. Microsoft SQL Server 2005 backend database.

I don't think I need to hide all menus or anything like that.
What I would like to do is when the user logs in:

Check a database table for the last time this user changed their password and if greater than 45 days advise them to change their password.

When the user goes to change their password:

Check the password passes set criteria I.E. Length, Alpha and numerical & special characters. Password has not been used before Etc.

I was just hoping that there was some code already created for this type of thing.

Thanks for any help you can give.

Best Regards,

 

[gemma-the-husky]

I think you don't have to worry so much about hiding toolbars. the thing is to encrypt the password.

So have a table that stores user names and their passwords, but encrypt the password. In every form put code that checks the user login status against the password, so they cannot circumvent your security. so if they didn't login correctly, they won't be able to open any form.

you can store the effective date of the password, and use that to force a password change when required.

if you actually want to prevent access to the data tables, then the suggestions above are worth investigating too.

 

[Always_Learning]

Hi Dave,

Thanks for your reply.

Yes, the basic password stuff is already in place and is encrypted.
I just need to inject the password policy stuff I mentioned.

Best Regards.

 

[gemma-the-husky]

as I say, just store an expiry date for the password. (encrypt the date too, if it is critical), then force users to enter and verify a new password.

you would need another table to store a password history.

none of this is particularly hard to do, I wouldn't have thought.

 

[The_Doc_Man]

The way this is typically done is that you don't need a password policy until you change it, and the administrator is immune to the policy (i.e. could create an "illegal" password.)

You need a "UserChangePassword" module that does something like this:

1. Prompt user for cleartext password. The Input box can be told to not echo input. You probably want the user to confirm the password by doing this a second time, so it is that you ask to "Enter new password" and then to "Verify new password."

2. Now that you have the cleartext password, you need to consider whether you will enforce complexity rules (like, uppercase, lowercase, digits, punctuation). If so, at this time you use the InStr function to scan each character and determine its category. In essence, your categories will be "UPPER" "LOWER" "DIGIT" "PUNCT" and "DISALLOWED" cases. The latter would include control characters and anything else that you don't want to deal with. I disallow spaces, tabs, anything that is non-printing, and a couple of characters that typically are handled as Windows or Access "special" characters. Either the password passes or fails complexity Since I am at a government site, my rules are to have a minimum of 2 each in the UPPER, LOWER, DIGIT, and PUNCT categories and a maximum of 0 in the DISALLOWED category.

3. Here, if the password meets complexity rules, you can check for minimum size. Do that next. Password minimum size is a pass/fail test.

4. If you want to do this and have a "dictionary" available, you can check for the user to have used a dictionary word for this. Look up Word to see if you can locate its dictionary file and see if there is a Word action or method that would let you compare the cleartext password vs. the dictionary. This is a pass/fail test.

5. If you want to check against password re-use, you need a password history table with username and password. I suggest that at this point you encrypt/hash the password so you can store <user,hashed-password,date-reset>. Password re-use is a pass/fail test. Either the hashed password is in the table or it is not.

6. Something that some sites require: A MINIMUM password age - to prevent the user from "churning" the password history table in an attempt to allow re-use of a "favorite" password. For this, you need to note the most recent password date AND TIME. Then get a DateDiff in units of seconds. For my site, it is required that a password stay as-is for 86400 seconds (= 1 day). This is a pass/fail test.

7. At this point, you can decide whether to change the password or not based on other rules that might apply. For instance, we have a site rule that says a user might be marked as "cannot change own password" (I.e. requires a supervisor to force the new password.)

So now, you've updated the password.

It is the login module that needs to accept a cleartext password, convert to encrypted format, and allows or disallows the login. But it is also here that you need a couple of other tests if you want to be a "big boy" type of password manager.

You know when the password was last updated. So if the password has an associated "maximum age" you can force a password update or disallow the connection if the user is marked as "supervisor must change password." You also need to consider that you should start counting password failures because typically, you do something like "If you get x failures in a row in y minutes, disable the account." Which means you need to track failures to have timing info on same, and you also need a "Supervisor must re-enable the account" flag to lock out further logins in that case.

One other thing: If you do this kind of anal-retentive checking, you need to consider that the message you give to the user must be limited in the information it returns. Like "Login failure" is all you say regardless of whether it was a bad username, a bad password, or a locked account, or the user's password has expired and needs reset.

Now, if you used domain-based logins and just captured your user's identity through the domain, this would be done for you automagically. However, if you MUST "roll your own" then these are the typical issues to consider.

 

[Always_Learning]

Hi DocMan,

Thank you for your detailed explanation, I appreciate you taking the time to help.

I'll get onto it and see how I get on.

Thanks Again.

 

[gemma-the-husky]

thats a pretty thorough response from DocMan. Not particularly hard to program (except for encryption/hashing), but needs a painstaking approach.

 

[RainLover]

as I say, just store an expiry date for the password. (encrypt the date too, if it is critical), then force users to enter and verify a new password.

you would need another table to store a password history.

none of this is particularly hard to do, I wouldn't have thought.

Dave

I thought you were one of those who said that it was incorrect to store calculated values.

 

[burrina]

Here is an example you could adapt to your situation, MAYBE!

Me.txtlogincnt = DLookup("[LoginCnt]", "tblUserSecurity_Sec", "[userID]='" & Me.txtUserID.Value & "'")

Me.txtlogincntno = DLookup("[SetLoginCnt]", "tblUserSecurity_Sec", "[userID]='" & Me.txtUserID.Value & "'")

txtlogincnt and txtlogincntno are unbound text boxes on the Login form.

'Require a Password Change After Set Number of Logins.

If Me.txtlogincnt > Me.txtlogincntno Then
Call MsgBox("A Scheduled Password Change is in Effect. Please Enter a New Password.", vbExclamation, Application.Name)
Me.cmdChngPW.SetFocus
Me.cmdLogIn.Enabled = False

'Verify Changed Password is New.

If Me.txtPW = Me.txtNewPW Then
Call MsgBox("That Password Has Already Been Used,. A New Password is Required . . .", vbExclamation, Application.Name)
Me.txtNewPW.SetFocus
Exit Sub
End If

HTH

 

[gemma-the-husky]

Dave

I thought you were one of those who said that it was incorrect to store calculated values.

where did I say store a calculated value? (although on occasion it does makes sense)

all I said with this was if you need to store a password and an expiry date, and you don't want people to be able to inspect the tables and see the values - then you need to store encrypted versions of the values, not plaintext.

I see what you mean now - I would store a password expiry date rather than the created date. (not both) if you create a pwd today, and it expires in 2 months, then set the expiry date accordingly.

 

[RainLover]

@ Gemma the Huskey

I just pointed this out because so many have their hard and fast rules but don't really understand what they are doing.I think I can say that yours is one of these situations.

EDIT

Dave, I was a little worried that I may have offended. We often store calculated values without realising it. I think that what you have said is on of those situations. The statement of "You never store calculated values" can be incorrect. Where "A time and a place for everything" is much better.
End Edit

Personally I would create a new date each time there is a Password change. Something like greater than 40 Days.

Now what is the best way of doing it. If you chose the same date for everyone the IT guy or perhaps you, could become very busy on that Morning as our highly educated readers of the funnies can't remember the Rules after been taught some 30 Days ago. Certainly not on Monday because you along with half the staff will have a hangover. Maybe you could issue a Temp password for 3 log ons. Is it everyone you want to do this to. Do users have different security levels and therefore different access. Maybe you could have a very low level pass where the user only has enough access to do mundane tasks until IT or someone fixes their problem.

If access is tied to a Windows Log in you could use that password. This would be the easiest way of all and the best part they won't give their password away so easily.

Really I only dropped in to borrow a cup of sugar. Now I have created a bunch of what ifs. Just deciding when to change the password is something to be decided upon before writing the code as supplied by DOC.

 

[gemma-the-husky]

@ Gemma the Huskey

I just pointed this out because so many have their hard and fast rules but don't really understand what they are doing.I think I can say that yours is one of these situations.

EDIT

Dave, I was a little worried that I may have offended. We often store calculated values without realising it. I think that what you have said is on of those situations. The statement of "You never store calculated values" can be incorrect. Where "A time and a place for everything" is much better.
End Edit

Personally I would create a new date each time there is a Password change. Something like greater than 40 Days.

Now what is the best way of doing it. If you chose the same date for everyone the IT guy or perhaps you, could become very busy on that Morning as our highly educated readers of the funnies can't remember the Rules after been taught some 30 Days ago. Certainly not on Monday because you along with half the staff will have a hangover. Maybe you could issue a Temp password for 3 log ons. Is it everyone you want to do this to. Do users have different security levels and therefore different access. Maybe you could have a very low level pass where the user only has enough access to do mundane tasks until IT or someone fixes their problem.

If access is tied to a Windows Log in you could use that password. This would be the easiest way of all and the best part they won't give their password away so easily.

Really I only dropped in to borrow a cup of sugar. Now I have created a bunch of what ifs. Just deciding when to change the password is something to be decided upon before writing the code as supplied by DOC.

No offence. I just wasn't suggesting storing redundant data.

What I ACTUALLY do is:

1. set the new expiry date for a password to be x days (say 60) from todays date (ie the date they set up a password. They can actually reset their own password's whenever they like

2. Authorize a system manager person to have sufficient permissions to click a button to either display another user's forgotten password in plain text, or to just be able to create a new temporary password for them.
(This is just a db, so it's VBA programming, not windows permissions)

3. fwiw they can also elect not to impose a pwd policy at all. After all, it's their data. Just set up user logins with no password required.

 

[The_Doc_Man]

In my case, the rule is that we remember the password change date and compute the expiration date at the user's login time. That's because we have auditing rules about what we store. Trust me... working for the U.S. Dept of Defense, we have rules on EVERYTHING - including how to make more rules. The only rules I haven't found yet are the rules that tell you how to retire old rules - but there is a rule that says I can't make such a "rule retirement" rule because it is above my pay grade.

However, my auditing rules don't have to match anyone else's rules, so don't treat my answer as the gospel truth. Treat it as just the way that some people do this.

 

[Always_Learning]

Hi There,

How would I go about checking each character in a password and detemin if it is Uppercase, Lowercase, Special Character etc.

I have started to try with this code but no matter what I put in it says it is lowercase.

Dim PasswordLength As Integer
Dim AtChar As Byte
Dim offset As Long
Dim TempAlpha As String
PasswordLength = Len(Me.Txt_Password)

While PasswordLength <> AtChar ' Test value of Counter.
AtChar = AtChar + 1 ' Increment Counter.
TempAlpha = UCase(Mid(Me.Txt_Password, AtChar, 1))
If UCase(Mid(Me.Txt_Password, AtChar, 1)) = True Then
MsgBox ("Is UpperCase")
Else
MsgBox ("Is LowerCase")
End If
Wend ' End While loop.

Any ideas or pointers you can give?

Best Regards,