Re: Enter user name, enter password, then press enter...

Rick

What do you do when the customer asks that the database login in be the same
username and password as they use to log on to their domain? This IMO is a
reasonable request from the client, as the user has to remember only one
username and password to use all of the stuff that she is permitted to use.
Using Access Security would be an Admin nightmare in this instance if the
database has say 30 users. What if it had 300 users? What if the company
had a policy that passwords had to change every 90 days?

I have implemented this type of security for Access, VB, and Web Based ASP
applications in organizations with hundreds of users using ADSI and LDAP.
In Access databases I also use the "disable the shift-bypass" technique to
prevent the user from getting around my start up code.

In the user table in my database all I need is each users Domain Username.
When I get the Username / Password in my custom login form, I first check to
make sure that the user is in my database then query Active Directory to see
if the Username / Password pair authenticates.

My customers and I see this as a very powerful way to maintain security for
the following reasons.
* Whenever their domain password changes it is immediately reflected in
the database login
* Users are less prone to tape their password to the back of the
keyboard or monitor when they have only one to remember
* Domain Admins can insure that user passwords change every N days for
ALL applications
* The users Password is NOT stored anywhere in the database

Is this technique as secure as the built in Access Security? Probably NOT!
Could a Tech Savvy user beat my system and get to the tables in my database?
YES!!! But, it does provide a reasonable level of security that is easy to
administer.

I believe that anyone who was sufficiently motivated could defeat Access
Security if they had a couple bucks and internet access. Look at what I
found on Google by Googling "Crack Access Security".

http://www.shareup.com/Access_Recovery-download-31557.html
http://lastbit.com/mso/default.asp
http://www.topshareware.com/Access-Recovery-download-36632.htm
http://www.batchconverter.com/RemoveAccessSecurity-download-14170.shtml

The above links were all found on the first page of 1,780,000 hits. Prices
for these utilities ranged from $39.00 to $199.00. I was able to find all
of this stuff in less than a minute. So one has to weigh the risks with the
admin cost, and choose the method that is the best for them.

Ron W

"Rick B" <Anonymous> wrote in message
news:e1LIVaihFHA.2560@xxxxxxxxxxxxxxxxxxxxxxx
> Why are you creating a login form?
>
> Access comes with a full security system called User-Level Security. You
> cannot create a custom login form if you use ULS. If you try to grow your
> own security, you will be wasting a great deal of time reinventing the
> wheel. You will also be setting yourself up with a much less secure
> database. You will be storing the userids and passwords in a table. What
> will prevent your users from simply opening that table?
>
> Also, Why couldn't I simply hold down the SHIFT key while opening your
> database and completely bypass your login form?
>
> Use the tools available.
>
> Make a couple of copies, then read (and reread) the links below. You must
> follow EVERY step IN ORDER.
>
> --
> Rick B
>
>
>
> Security FAQ
>
> http://support.microsoft.com/?id=207793
>
>
>
> The Security Whitepaper is also worth reading to help you understand.
>
> http://support.microsoft.com/?id=148555
>
>
>
> Joan Wild:
>
> www.jmwild.com/AccessSecurity.htm
>
>
>
> Lynn Trapp
>
> http://www.ltcomputerdesigns.com/Security.htm
>
>
>
>
>
>
> "Paul (ESI)" <PaulESI@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:0A910352-AFF6-40F1-96A6-6096F95A3843@xxxxxxxxxxxxxxxx
> > I created a mock login screen for testing. I haven't bothered to make it
> > actually validate anything for login. I'll get into trying that out
later.
> > However, I was wondering if it is possible to allow users to enter their
> user
> > name and password, then have the login button respond to the enter
button
> as
> > well as a mouse click. Currently, if I type in a user name and password,
> then
> > press enter, it just highlights the button, but doesn't press it. Any
way
> to
> > make it treat the enter button just as any normal login would?
> >
> > --
> > Have a nice day!
> >
> > ~Paul
> > Express Scripts,
> > Charting the future of pharmacy
>
>


.