Solved Users password encryption in users table in MS Access - multiuser system (1 Viewer)

Ihk

Member
Local time
Tomorrow, 00:32
Joined
Apr 7, 2020
Messages
238
I know have been few posts, tried but got stuck, so please don't shoot me down for asking. I am looking for sample db. Dont forward me to other forums, I already spent hours.
I have
1) Multiuser system
2) User registration form for creating account
3) login form to log in
Everything works fine, more than 40 users - database splitted.

I want at the the time of registration passwords are encrypt as hashes, while at login are decrypted because user will use his password what he entered.
Can some one give me sample db, or an easy but secure way out to encrypt passwords.

How my registration or login works.
1) other than registration data passwords are matched (pass + confirmPass), username created and finally account created.
2) At login, record set and row source is used to identify credential matching with username.

Thanks it will be of great help.
 

The_Doc_Man

Immoderate Moderator
Staff member
Local time
Today, 17:32
Joined
Feb 28, 2001
Messages
23,166
On your point about "decrypting hashes" - no. You don't do that. Hash algorithms are generally not reversible - and not necessary TO reverse. If you have user X logging in and s/he enters a new password, you encrypt that and store the encryption. Then the next time X logs in using the new password, you encrypt the password and compare the encrypted password to the stored encrypted password. You NEVER EVER AT ANY TIME want to decrypt a password once you set it up for encryption. This is advice from someone with 28 1/2 years service to U.S. Navy and who holds a certificate for Security Plus.

Look at posts by Isladogs among others, because he has helped many people with login issues.
 

plog

Banishment Pending
Local time
Today, 17:32
Joined
May 11, 2011
Messages
11,012
I agree with Doc. Store the encrypted password then when they log in, encrypt the submitted password and compare that hash to the stored password hash.

Google 'vba encryption code'. Then when you find code Google the method they use to verify it's still a good encryption method.
 

Ihk

Member
Local time
Tomorrow, 00:32
Joined
Apr 7, 2020
Messages
238
On your point about "decrypting hashes" - no. You don't do that. Hash algorithms are generally not reversible - and not necessary TO reverse. If you have user X logging in and s/he enters a new password, you encrypt that and store the encryption. Then the next time X logs in using the new password, you encrypt the password and compare the encrypted password to the stored encrypted password. You NEVER EVER AT ANY TIME want to decrypt a password once you set it up for encryption. This is advice from someone with 28 1/2 years service to U.S. Navy and who holds a certificate for Security Plus.

Look at posts by Isladogs among others, because he has helped many people with login issues.
Yes I agree with this, but I meant at login passwords again have to be matched. I dont have to say that they decrypted. thanks for clarification.
 

Ihk

Member
Local time
Tomorrow, 00:32
Joined
Apr 7, 2020
Messages
238
I agree with Doc. Store the encrypted password then when they log in, encrypt the submitted password and compare that hash to the stored password hash.

Google 'vba encryption code'. Then when you find code Google the method they use to verify it's still a good encryption method.
got it , encrypted pass are matched with encrypted. thanks
 

The_Doc_Man

Immoderate Moderator
Staff member
Local time
Today, 17:32
Joined
Feb 28, 2001
Messages
23,166
Now, here is the next question. Is this situation subject to the constraints of a domain environment? Because if so, you don't need ANY username OR password. You can "trust" the domain's authentication. Note that if you are in a non-domain environment, my comment does not apply.
 

isladogs

CID VIP
Local time
Today, 23:32
Joined
Jan 14, 2017
Messages
16,412
The best approach is not to store passwords at all but to rely on active directory to verify permissions.

However, if you are going to do this, make sure you use a strong 128-bit or better encryption cipher together with hashing.
Simple encoding is not sufficient as it is easy to crack. For the purposes of data protection, nobody should be able to read stored passwords...including the program admins.

Have a look at my example database which uses RC4 encryption Password Login - Mendip Data Systems. It is also discussed in this thread here at AWF Password Login.

RC4 is a strong two way encryption method which means the same cipher is used to encrypt and decrypt. This makes coding easier but it also means is isn't as strong as one way encryption methods such as AES. However it will be sufficient to prevent all but the most determined and skilled hackers.
 
Local time
Today, 23:32
Joined
Jul 25, 2020
Messages
70
Here is a basic understanding of RC4.

As with all encryption of data, all you are doing is buying time before your data is exposed by reverse engineering.

Information is much more useful if it is current and accurate. If it takes 16 months to decrypt AES256 using a powerful PC then you could argue that the time it took to be successful is so great the data is worthless almost.

Does this mean we should not bother? Far from it; we have an obligation to try.

The weakness is not so much the cypher but the way its implemented, As part of the origiinal M.O.R.E Group many of my RE examples are there to see on Haxnode.

 

isladogs

CID VIP
Local time
Today, 23:32
Joined
Jan 14, 2017
Messages
16,412
I strongly recommend reading the article by Rabbit at Bytes.com.
He is VERY knowledgeable about encryption and through various email exchanges has proved to be invaluable in testing for potential weaknesses in my example app Encrypted Spilt No Strings - Mendip Data Systems.
Due partly to his feedback I have since done several further updates to the version of this app published on my website in Dec 2020.
If Rabbit can't hack an app within a reasonable time frame, its about as secure as it can be!
 
Last edited:

Ihk

Member
Local time
Tomorrow, 00:32
Joined
Apr 7, 2020
Messages
238
thank you very much dear all, I am new but learning every day here. I will read this above.
 

Ihk

Member
Local time
Tomorrow, 00:32
Joined
Apr 7, 2020
Messages
238
The best approach is not to store passwords at all but to rely on active directory to verify permissions.

However, if you are going to do this, make sure you use a strong 128-bit or better encryption cipher together with hashing.
Simple encoding is not sufficient as it is easy to crack. For the purposes of data protection, nobody should be able to read stored passwords...including the program admins.

Have a look at my example database which uses RC4 encryption Password Login - Mendip Data Systems. It is also discussed in this thread here at AWF Password Login.

RC4 is a strong two way encryption method which means the same cipher is used to encrypt and decrypt. This makes coding easier but it also means is isn't as strong as one way encryption methods such as AES. However it will be sufficient to prevent all but the most determined and skilled hackers.
I did not know about active directories before. I will definitely go through this what are these and how does it work in access.
@isladogs thanks for sharing sample db, I tried this it is working for me. But only problem is , same code is able to reverse the encryption.
 

isladogs

CID VIP
Local time
Today, 23:32
Joined
Jan 14, 2017
Messages
16,412
Ask your network manager about active directory.
As stated, RC4 is reversible but only if the encryption cipher key is known to the hacker.
Hashing the encrypted password adds further complexity to the process
 
  • Love
Reactions: Ihk

Gasman

Enthusiastic Amateur
Local time
Today, 23:32
Joined
Sep 21, 2011
Messages
10,853
@lhk
You should be aware that asking for help specifically from individual members via profile posts, is not private?, and can be viewed by all?
 
  • Like
Reactions: Ihk

Ihk

Member
Local time
Tomorrow, 00:32
Joined
Apr 7, 2020
Messages
238
Ask your network manager about active directory.
As stated, RC4 is reversible but only if the encryption cipher key is known to the hacker.
Hashing the encrypted password adds further complexity to the process
Thank you thats nice idea
 

Ihk

Member
Local time
Tomorrow, 00:32
Joined
Apr 7, 2020
Messages
238
Just an update for others like me who are looking for solution. I learnt a lot from this post. thank you all above.
I used two different encryption methods and on top of it encrypted the encrypted passwords two times. (@isladogs idea), Afterwards I tried to decrypt with the same, I went back upto 10-12 generation, did not get the real password. So conclusion is this is really the best encryption.
Apply two different encryption methods + encrypt the encrypted passwords, then those look like very very hard to decrypt into real passwords words.
My login system is also working, after the users registers themselves in the system.
 
Last edited:

Users who are viewing this thread

Top Bottom