Registration Form - Securing the passwords

[ktommy7]

Hello everybody,



I'm new here and this is my first post. I'm facing situation where I'm actually cornered and I've tried almost every possible way (using my MS Access so far knowledge) as well as making a research on the internet. Unfortunately, it returned without any solution.
My scenario is that I'm creating a database for our customer who wants their employees to store their work and he wanted me to create a registration form. As you can imagine the customer wants to automate the registration system and he wants their employees to enter the data manually. When they fill the required fields and create their account by pressing the "Register" Button, the data is stored to a specific table. But the problem is that the password is visible when I access that table. So far I've split the access database into the front and back end files, password protect the back end, disable any ribbons, turn off the bypass key, etc. But I don't want any "leak" of information and I just want to be sure that no one except the customer's administrator itself will have access to the back end.

What I want to do is just to make sure that after their registration their password will be protected, encrypted or hashed I don't know which description best suits for it and in case they forgot their password there will be a reset form that will be accessible only for the administrator after the login. I saw a few videos on the youtube and they put the hashing code at the login screen, but the problem is that they had already created their own users, which in my situation is not available. I've talked to the customer and I told him that the administrator should have at least backup of their credentials, but the answer was NO.

Any help or advise on how to deal with this situation?
Thanks a million you guys.

[Micron]

Are they sharing a Windows log in? If not then IMO, you can dispense with the whole idea - but it will take some admin maintenance. What I'm talking about is Access code (which cannot be seen in an accde type database) that gets the user's Windows login ID (user name) from a table and compares that to who is currently logged in to Windows and using Access on that pc. Note, I'm not saying you store windows passwords in the table, just their user name. If they don't match, they don't get in. This avoids admin maintenance when they call up and say "I forgot my password - can you reset it?" and a whole lot of code.

If stuck with the login form thing, then you need to do at least the minimal to keep users out of tables and playing with design, but that's only as good as the level of their knowledge about Access and vba. Then you need to encrypt passwords, but even I with my limited knowledge (at the time) was able to beat that. If security is of paramount importance, you probably should dispense with Access as a back end and use something else, like sql server.

Welcome to the forum, by the way!

[ktommy7]

Hey Micron,
Thank you for the quick response. I understand what you mean and I was thinking of the same idea to put the database on a sql server and the good thing is that they have a server and using another application within their network. Yes, they using classic windows login and not a domain because they had a domain and they had issues so they had to disable it (I don't know why and I don't really want to know). The good thing is that those information has their administrator as well, so I can prompt them to create a username same as the computer user which will become handy.
I just try to figure out another way and make the customer to make an administrator the only one that can add a user and give them a password and I was thinking about creating a profile form where there can the user change it password if they want to. And since only the administrator will have full access to this database so even after encryption, in case the password would be forgotten, he will just reset it leaving it blank and the user using its username will be redirected to another form to re-enter a new password and to login again before proceeding any further.

Thank you for your warm welcome. I'll do my best to help as much as I can.

[Micron]

I might have not explained that very well, so just in case:
Let's say I work at a place with a network server and to log in, I have to use the Windows/network user name they gave me, and that's Micron123.
So I log onto the pc/Windows with that name, entering my network login password, then try to open some Access db.
The db code gets my user name (Micron123) and looks to see if that value is in the table. If not, I get kicked out of Access, otherwise I'm in.
That username was added by the db admin; there is no password in the table so no danger of discovery there. What is in the table is any other info pertaining to me, such as my access level (e.g. plain ol' user, supervisor, admin, whatever) and those values are used when opening forms to show/hide or prevent as necessary.

This would never work in a place where someone logs into Windows, goes for lunch, and anyone is allowed to come along and use that pc while logged in by somebody else.
HTH

[CJ_London]

I hash the newly entered password and save that instead of the actual password.

when user logs in next time you hash their password input and compare that with the value in the record.

examples of code to hash a value can be found here
https://en.m.wikibooks.org/wiki/Visu...Hashing_in_VBA

if a user forgets their password, all admin can do is delete the hashed value and the user enters a new password next time they log in. Depending on requirement, an admin might supply and apply a new temporary password to the user for one time use or valid for a few hours (use a date flag or similar) and the next time user logs in there is a requirement for them to reset their password. Unique temporary passwords can easily be created by hashing say the current date/time.

Edit: I've never had to do it, but if you are concerned about admin forgetting their password. providing you have their email address stored you could have code on the 'forgot password' option to automate this and email the temporary password. Or SMS if you have their mobile/cell number.

[isladogs]

If you do decide to use passwords, the password entry textbox should be masked and you need to use 128-bit encryption or better e.g. RC4 or SHA

Two links that you may find useful :
1. Encrypted passwords example Password Login (isladogs.co.uk)
2. Improve Access security: Improve Access Security 2 (isladogs.co.uk)

[ArviLaanemets]

In our firm we use SQL Server BE's with Access/Excel FE's, and use Domain Groups to manage access to app's. Every app has it's own Domain Group(s) defined. For SQL BE Databases, user rights are set for certain Domain Group(s). Only users added to this/those Domain Groups can open the DB FE, and what user can do in DB is determined by Domain Group.

[ktommy7]

Thank you guys for all your help. I found the solution within your suggestions and you were very helpful.
I spoke to my customer and we decided to make the administrator handling these whole account story (I just don't wanna argue with them anymore) and they decide that they will create the users with the temporary password and after their login, there will be a pop up window to prompt them to change the password and we will create a user's profile tab, which can be accessed only by the administrator and there he can change the password into a temporary password in case the user will forget it and the encryption will work after their first successful login. I've created a user log activity so whenever the user is logged in, the forms that are working with and after saving their records, the username is showed on a specified filed that I named LAST MODIFIED BY.
As for the lost or forgot password the administrator told me that he will deal with it and not to worry about, so OK I said (just followed the Customer has always right quotation), but the forgot password to be reset using e-mail method is great idea but I don't have the acquired knowledge. If there are any links on how to do it I will try to apply this method in another project and share with the community
Forgive my English if something is not clear to understand.

If someone wants to add any other info then you're welcome otherwise please close the thread.
Thank you once again.

[Welshgasman]

You do that yourself by marking the thread solved via Thread Tools.