Database Security

[Justin]

I have this database where I have some minor security, where the database
will check your network id and compare it to a table from the database, to
see if it shoudl grant access or not. Now the auditing dept of my company
wants to have more security features. They want to have it that when you log
to the database, there is a screen that ask for username and password, and
after x amount of days, it will prompt user to change password.
I have a form with user name and password, i masked the password so it only
shows "xxxxx" but i have no clue about the password prompting user to keep
changing password.

Also, do you have any suggestion on better security for my database. thanks
in advance

 

[Lynn Trapp]

Justin,
Add a PWD_Next_Update_Date field to the table that you use to authenticate
the users. Check that date when the user logs on and prompt them to change
their password when the date is hit.

--
Lynn Trapp
MS Access MVP
www.ltcomputerdesigns.com
Access Security: www.ltcomputerdesigns.com/Security.htm
Jeff Conrad's Access Junkie List:
http://home.bendbroadband.com/conradsystems/accessjunkie.html

 

[Justin]

Well, i just got word from my audit dept, they have this idea that I need to
get in place

The first screen will be a form where the user will input their work email
address.
Now of course, the database will check to see that email address is in the
user table. If so, it will generate a password, having letters or numbers or
combination or both and will send an email to user. then user will get email,
then in log in screen, will input user name and the generated password and as
soon as they close the database, that password will not work, if they try to
log on
they will have to do the whole process again.
I have no idea how to do this. Please help

 

[Lynn Trapp]

I'm afraid I'm a bit lost. Do you mean that your audit department wants the
user to get a NEW generated email every time they open the database?

--
Lynn Trapp
MS Access MVP
www.ltcomputerdesigns.com
Access Security: www.ltcomputerdesigns.com/Security.htm
Jeff Conrad's Access Junkie List:
http://home.bendbroadband.com/conradsystems/accessjunkie.html

 

[Justin]

basically, for instance
i sign in at 9am, i enter the datbase, put in my email address and it will
generate a password for this time. then when im done, as soon as i close the
databse, that generated pswd i just got, will no longer work the next time i
try to log ont the database

 

[John Welch]

Justin, do they want to do this complicated system just because they want
more security than the oringinal system (storing usernames and passwords in
a table)? If so, you might try to sell them on using Access' User Level
Security features, which will probably be more secure that what they want
and less hassle for everyone (once you learn how it works, which isn't
trivial). If you did that, you could still store a date in a table for each
user and prompt them to change their password if the current date is 30 days
after that date, for example. You could either just bug them, or lock them
out to some extent.
HTH
-John
----- Original Message -----
From: "Justin" <[email protected]>
Newsgroups: microsoft.public.access.security
Sent: Friday, September 16, 2005 1:09 PM
Subject: Re: Database Security

 

[TC]

Your original requirement (in this thread) was to force the users to
change their passwords after 'x' amount of time - true?

If so, you can easily do that using VBA code. Is that what you want to
do?

TC

 

[Justin]

For me, I think that is the best idea because the password can be changed
certain amount of days. Thing is that the contents of the data. This database
hold cutomers credit card information, so my audit dept felt that the
security requirements they asked for is the best bet.
What do you guys think, is there an alternate way, cause i do see what they
are asking for is way too much

 

[Keith]

This database
hold cutomers credit card information, so my audit dept felt that the
security requirements they asked for is the best bet.

I think I'd be putting data like this into Oracle where it could be properly
secured. Just my 2p worth.

Regards,
Keith.
www.keithwilby.com

 

[Lynn Trapp]

Justin,
Not only is what they are asking for "way too much," but it will not be
nearly as secure in MS Access as they think it will. Whatever approach you
find to generating a new password, either every so many days or every time a
user logs on, can be cracked by determined people. Follow Keith's advice and
store this kind of sensitive data in SQL Server or Oracle.

--
Lynn Trapp
MS Access MVP
www.ltcomputerdesigns.com
Access Security: www.ltcomputerdesigns.com/Security.htm
Jeff Conrad's Access Junkie List:
http://home.bendbroadband.com/conradsystems/accessjunkie.html

 

[Brendan Reynolds]

If I were asked to develop an application that would need to store credit
card information, Justin, I would advise my boss that we should consult an
expert in the field of data protection. I would explain to my boss that the
cost of consulting an expert would be much, much less than the potential
cost of litigation and loss of reputation should customers' confidential
data be compromised. My boss, being the reasonable chap that he is, would
probably listen to me. But I would make sure to give him the advice in
writing, and keep a copy, just in case.

 

[TC]

Ouch! I didn't see the credit card bit, I couldn't have read it
carefully enough.

Anyone storing unencrypted credit card details in a desktop database
product should be summarily executed! (and I don't mean in a machine
code sense)

TC