Question User Level Security Management

C

crschrock

New member
Local time
Today, 01:49
Joined
Nov 12, 2009
Messages
4
Hello all.

I've been using this forum for the past few months as I have learned and built my database. Thanks for all the help!

I'm at a point where I can't find my issue through searching.

I have user level security set up and working. I have a "Login" database which requests the user's name and password. It stores this in a hidden table while another form opens up which has a list of various MDBs and MDEs that my department uses. After choosing a database, Circuit Browser.mde for instance, the "Login" db closes and circuit browser opens and takes with it the user info and stores it in another hidden table.

Circuit Browser is the FE and is not secured. it has listboxes and forms which read/insert/delete things in the BE. Every time something reads/inserts/deletes in the BE, the user info is pulled from the hidden table to validate security. this is working for me. i will have users that can read only. and users that can insert/delete.

Question 1:
Do you see anything wrong with this form of security?

Question 2:
Is there any way for me to check for the correct username/password within my custom login?

Question 3:
In managing my database, should I handle all of the username/passwords? Or can I let the users handle it themselves? I have a form to change passwords that works nicely. What happens if the user forgets their password? If I don't set it initially and keep track when they change it, I have no way of accessing their password, do I?

Sorry for the length of post. Any help is greatly appreciated.

Thanks!

Chris
 
Just exactly what do you intend to accomplish with the security setup? Are we talking about a simple corraling system to keep honest users from doing something they shouldn't, or a lock-out to protect data from malicious use? This is more important than the actual implementation because the actual implementation depends a lot on what your security needs are.
 
crschrock said:
What happens if the user forgets their password? If I don't set it initially and keep track when they change it, I have no way of accessing their password, do I?
Click to expand...
Assuming it's stored in a table, and you as developer have access to that table, then yes, you could see everyone's passwords (even if they are masked in the table design - because that's only a cosmetic measure).

If you don't want to be able to see people's passwords at all, ever, then you would need to store an encrypted hash of the password they chose, then when they log in, run the password they enter through the same hash process and compare it against the stored value.

But that might be more complex than you need - another way around it (if it's just to corrall the users, as Banana describes) would be to add a 'force change' flag to the user account table and have your application check for this at log in (with code etc to demand a password change if it is set), plus create for yourself a way of pushing a new password string into the table.

Then if someone forgets their password, you can (after verifying their identity) change their password to, say "L053R", set the force change flag and let them log in and change their password back to something hopefully memorable to them.
 
You must log in or register to reply here.

Similar threads

K
Solved Login to Microsoft account
Replies
10
Views
800
KitaYama
K
D
Darshan Hiranandani : How to Access a Password-Protected MDB Database with an MDW File and Unknown User Password?
Replies
3
Views
877
Isaac
Isaac
The_Doc_Man
Important Security Guidelines
2
Replies
24
Views
1,748
The_Doc_Man
The_Doc_Man
BlueSpruce
Remote desktop vs. browser based web apps.
2
Replies
22
Views
1,791
CompSMART
C
M
Solved Can I access the user passwords in the MDW file?
Replies
13
Views
1,384
gemma-the-husky
gemma-the-husky

Users who are viewing this thread

Total: 1 (members: 0, guests: 1)
Back
Top Bottom