Password Policy

[The_Doc_Man]

As to password complexity, you can do some simple tests.

For instance, you can do something like this:

Public Function PwdComplex(Pwd as String) as Boolean

Dim Constant UpperA = Asc("A")
Dim Constant UpperZ = Asc("Z")
Dim Constant LowerA = Asc("a")
Dim Constant LowerZ = Asc("z")
Dim Constant Digit0 = Asc("0")
Dim Constant Digit9 = Asc("9")
Dim Constant LowPrint = Asc("!")
Dim Constant HiPrint = Asc( "~" )

Dim LowerNum as Long
Dim UpperNum as Long
Dim DigitNum as Long
Dim PunctNum as Long
Dim NoGoodNum as Long
Dim PLen as Long
Dim PPos as Long
Dim EPwd as String
Dim EChr as String
Dim LChr as Long

DigitNum = 0
LowerNum = 0
UpperNum = 0
PunctNum = 0
NoGoodNum = 0

EPwd = Trim$( Pwd )
PLen = Len( EPwd )
For PPos = 1 to PLen
  EChr = Mid$( EPwd, PPos, 1)
  LChr = Asc(EChr)
  Select Case LChr
    Case Digit0 to Digit 0
      DigitNum = DigitNum + 1
    Case UpperA to UpperZ
      UpperNum = UpperNum + 1
    Case LowerA to LowerZ
      LowerNum = LowerNum + 1
    Case Is > HiPrint
      NoGoodNum = NoGoodNum + 1
    Case Is < LowPrint
      NoGoodNum = NoGoodNum + 1
    Case Else
      PunctNum = PunctNum + 1
  End Select
Next PPos

'{here, you would put rules such as minimum number of each category - my site requires 2 of each}

PwdComplex = ( DigitNum >= 2 ) and (PunctNum >=2 ) and (LowerNum >= 2) and (UpperNum >= 2) and NoGoodNum = 0

End Function

The only wrinkle in the above is that punctuation is distributed among several gaps between the digits, upper case, and lower case numbers. Note also that if you choose to disallow a punctuation characters, you would have to add a special case statement for that one character value to mark as "No Good."

 

[Always_Learning]

Hi There,

Thanks everyone for your help and suggestions.

Thanks again Doc_Man for your detailed help, can't wait to give it a try. It will have to be Monday now.

Have a great weekend.

Best Regards,

 

[The_Doc_Man]

Just remember that I have very fat fingers when typing and often program in multiple flavors of BASIC, so if I got a specific syntax wrong on the declares or case statements, forgive me. I was winging that because it actually came from my OpenVMS BASIC password complexity module. OpenVMS allows for complexity but my site's rules were different from theirs so I had to "roll my own" and that is why I had such a thing. My Access module uses an external authentication for which the password complexity is handled by the O/S and domain-level code.

 

[RainLover]

In my case, the rule is that we remember the password change date and compute the expiration date at the user's login time. That's because we have auditing rules about what we store. Trust me... working for the U.S. Dept of Defense, we have rules on EVERYTHING - including how to make more rules.

Doc Man,

Do they explain the difference between storing the date the current password took affect, and the date that the current password will retire.

If you know one you can calculate the other.

Is there something else that is missing to this equation.

 

[The_Doc_Man]

RainLover, with the government, the explanation is often "That's the way " (uh-huh uh-huh) "we want it" (uh-huh uh-huh) "that's the way ... we like it." (sorry, the opportunity to break out in song presented itself and I couldn't resist.)

The government mandate is to always record when something happened, not to record when something WILL happen. And as you point out, it really doesn't matter otherwise, because having the password age and one critical data, you have the other date just as easily. But since they do sometimes audit code, we always make sure our code will pass their silly requirements. So we store the most recent password change date, not the next password change due date.

As to the other part of your question, "Do they explain..." What? Asking the government to explain itself? You've GOT to be kidding. (Damn, I'm in a cynical mood today!) But actually, someone from our network security team told me that they do it the way they do it as a matter of consistency because of other systems that store actual event dates, not event due dates. We have all of our systems running the NTP service, so our event log timestamps will correlate pretty closely. There's this thing they do with event logs that sorts them according to date and time across multiple systems, so if they want to see password change attempts to identify intrusions, they have to see everything by the actual event date.

For us, at least, the "password overdue" date doesn't get logged right away anyway. That is, there is no logged event that says "User's password just became overdue." We have a BRIEF grace period between the "password overdue" date and the scan the sets the flag that says "Password change requires supervisory intervention." Now THAT event (setting the "supervisor intervention" flag) DOES get event-logged. But it gets done in a batch job that runs at midnight only on certain days of the month.

Sometimes it gets a bit onerous to handle all these rules, but if you are good with code, you make the machine do your work for you, which I do. So once we got the auditing rules all figured out and got government blessing on what we did, we were "good as gold."

 

[gemma-the-husky]

I suppose from DocMan's point of view, the password change date is a finite.

If the powers that be decide to change their rules about password changes, then any existing password would get caught by the rule change. If you stored the expiry date, it wouldn't be so easy.

 

[emad258]

hi
after deep thinking, I finally write the following code to request the user to enter password with upper and lower case letter plus one number at least

here is the code:
record goes to me
the following code should be pasted in txtbox after update case

Private Sub Password_AfterUpdate()
' written by EMAD

    If IsNull(Me.Password) Then
        Me.Password.Value = "password"
        MsgBox "password must contain at least 8 characters, password will be reset to password", vbOKOnly
    Exit Sub
    End If
On Error GoTo error





    If Len(Me.Password) < 8 Then
        Me.Password.Value = "password"
        MsgBox "password must contain at least 8 characters, password will be reset to password", vbOKOnly
    Exit Sub
    End If

Dim N0, N1, N2, N3, N4, N5, N6, N7, N8, N9 As String
N0 = InStr(Me.Password, "0")
N1 = InStr(Me.Password, "1")
N2 = InStr(Me.Password, "2")
N3 = InStr(Me.Password, "3")
N4 = InStr(Me.Password, "4")
N5 = InStr(Me.Password, "5")
N6 = InStr(Me.Password, "6")
N7 = InStr(Me.Password, "7")
N8 = InStr(Me.Password, "8")
N9 = InStr(Me.Password, "9")

If (N0 + N1 + N2 + N3 + N4 + N5 + N6 + N7 + N8 + N9) = 0 Then
        Me.Password.Value = "password"
        MsgBox "password must contain at least one numeric value, password will be reset to password", vbOKOnly
    Exit Sub
    End If
    
Dim CA, CB, CC, CD, CE, CF, CG, CH, CI, CJ, CK, CL, CM, CN, CO, CP, CQ, CR, CS, CT, CU, CV, CW, CX, CY, CZ As String

    CA = InStr(Me.Password, "A")
    CB = InStr(Me.Password, "B")
    CC = InStr(Me.Password, "C")
    CD = InStr(Me.Password, "D")
    CE = InStr(Me.Password, "E")
    CF = InStr(Me.Password, "F")
    CG = InStr(Me.Password, "G")
    CH = InStr(Me.Password, "H")
    CI = InStr(Me.Password, "I")
    CJ = InStr(Me.Password, "J")
    CK = InStr(Me.Password, "K")
    CL = InStr(Me.Password, "L")
    CM = InStr(Me.Password, "M")
    CN = InStr(Me.Password, "N")
    CO = InStr(Me.Password, "O")
    CP = InStr(Me.Password, "P")
    CQ = InStr(Me.Password, "Q")
    CR = InStr(Me.Password, "R")
    CS = InStr(Me.Password, "S")
    CT = InStr(Me.Password, "T")
    CU = InStr(Me.Password, "U")
    CV = InStr(Me.Password, "V")
    CW = InStr(Me.Password, "W")
    CX = InStr(Me.Password, "X")
    CY = InStr(Me.Password, "Y")
    CZ = InStr(Me.Password, "Z")

If (CA + CB + CC + CD + CE + CF + CG + CH + CI + CJ + CK + CL + CM + CN + CO + CP + CQ + CR + CS + CT + CU + CV + CW + CX + CY + CZ) = 0 Then
    Me.Password.Value = "password"
    MsgBox "Password must contain at least one upper letter,password reset to password", vbOKOnly
    Exit Sub
End If


Dim Sa, Sb, Sc, Sd, Se, Sf, Sg, Sh, Si, Sj, Sk, Sl, Sm, Sn, So, Sp, Sq, Sr, Ss, St, Su, Sv, Sw, Sx, Sy, Sz As String

    Sa = InStr(Me.Password, "a")
    Sb = InStr(Me.Password, "b")
    Sc = InStr(Me.Password, "c")
    Sd = InStr(Me.Password, "d")
    Se = InStr(Me.Password, "e")
    Sf = InStr(Me.Password, "f")
    Sg = InStr(Me.Password, "g")
    Sh = InStr(Me.Password, "h")
    Si = InStr(Me.Password, "i")
    Sj = InStr(Me.Password, "j")
    Sk = InStr(Me.Password, "k")
    Sl = InStr(Me.Password, "l")
    Sm = InStr(Me.Password, "m")
    Sn = InStr(Me.Password, "n")
    So = InStr(Me.Password, "o")
    Sp = InStr(Me.Password, "p")
    Sq = InStr(Me.Password, "q")
    Sr = InStr(Me.Password, "r")
    Ss = InStr(Me.Password, "s")
    St = InStr(Me.Password, "t")
    Su = InStr(Me.Password, "u")
    Sv = InStr(Me.Password, "v")
    Sw = InStr(Me.Password, "w")
    Sx = InStr(Me.Password, "x")
    Sy = InStr(Me.Password, "y")
    Sz = InStr(Me.Password, "z")

If (Sa + Sb + Sc + Sd + Se + Sf + Sg + Sh + Si + Sj + Sk + Sl + Sm + Sn + So + Sp + Sq + Sr + Ss + St + Su + Sv + Sw + Sx + Sy + Sz) = 0 Then
    Me.Password.Value = "password"
    MsgBox "Password must contain at least one lower letter,password reset to password", vbOKOnly
    Exit Sub
End If
error:



End Sub