Users / Application Access

S

ss7thirty

Well-known member
Joined
Jun 14, 2005
Messages
455
Location
New Jersey, US
Programming Experience
5-10
I have a problem. I have a scan application that needs the ability to Select, Insert, Update, and Delete records from a database. The way we have been giving the user access is by specifying a username/password in a configuration file. Is there a better way to go about this. Can this be accomplished by the program being “bound” with a “plan” to enable this. The plan would have more access rights than the individual. How can I go about this rather than hard coding the username/password into the code (worst option), or even just having it visible to the user in a configuration file located someone where in the "bin." This is a VB6 application so this may provide some extra hurdles but I believe that this problem can get solved on the SQL side of things.
 
Sort by date Sort by votes
ss7thirty said:
I have a problem. I have a scan application that needs the ability to Select, Insert, Update, and Delete records from a database. The way we have been giving the user access is by specifying a username/password in a configuration file. Is there a better way to go about this. Can this be accomplished by the program being “bound” with a “plan” to enable this. The plan would have more access rights than the individual. How can I go about this rather than hard coding the username/password into the code (worst option), or even just having it visible to the user in a configuration file located someone where in the "bin." This is a VB6 application so this may provide some extra hurdles but I believe that this problem can get solved on the SQL side of things.
Click to expand...

I have an app currently that stores:

username
password hashcode
permission flags

To determine access I:

SELECT flags FROM users WHERE username = :username AND password = :password


The password is not stored. The one way hash (String.GetHashcode()) is stored. What the user types is hashed before submitting to the database. The only way to hack this is to replace the hashcode with a hash known to you, thereby changing their password.


If a null result is obtained, the user didnt provide the right u/p combo. Additionally I have a "banned" flag that denies login.

The main form can check this easily.. There is, actually, somewhere on the forums a Sticky with info of making a login form
 
Upvote 0 Downvote
I have heard about this before as a way of securing passwords in a database. The only thing all you need is .NET to get a string from its hash code correct? That seems a little unsecure if that is the case. But nevertheless much better than the way it is in the current applications I am fixing. "On Error Resume Next" was their error handling technique. But thanks for the response I will look into that...


SteveS
 
Upvote 0 Downvote
I have a question about this. It must be difficult for a user to type a string that long in. I am not the NSA and most of the users in the application will have passwords that they can remember. Yet Security threats do exist. Is it not possible for someone to create a database of every possible combination of string to length 15 and their hashcode and take the hashcode and check it and now know the password.

Because there may not be a database in the picture and I do not want password and usernames stored in an easy to access configuration file. Is there a way to "Embed" these into an application. Meaning, I have seen Software sold online that accepts a Key to activate it for use. You can do this while offline. Tell me how they accomplish this without easily getting their software stolen.
 
Upvote 0 Downvote
ss7thirty said:
I have a question about this. It must be difficult for a user to type a string that long in. I am not the NSA and most of the users in the application will have passwords that they can remember. Yet Security threats do exist. Is it not possible for someone to create a database of every possible combination of string to length 15 and their hashcode and take the hashcode and check it and now know the password.
Click to expand...
Yep. It's called brute force attacking and it takes a very long time. In a string of length 15 there are 26^15 combinations if you just use lowercase letters. Using upper, lower and numbers gives you up to 8E26 (800 000 000 000 000 000 000 000) combinations that need hashing to determine which matches. You cant really put that sorta stuff in a database. If you could hash a million per second, the sun will have gone nova and destroyed the earth before youre even half way to finishing. Now, thats not to say that every result would need checking because over time, you get down to the fact that it returns you an int.. i.e one of 43 billion combinations. Pretty much you could bust this in a couple of weeks at a million per second. To break into this system you would only need find some string that hashed to the same as what the users password hashed to. Suppose "abc" and "kdfr8j038fe3f9j3f09w4" both hash to the number 789, well its gonna bust abc a lot sooner than the big one, whichever the user has put as their password. This systems can be broken by replacing the password with a known hash, like a. Get round this my including the username as part of the item that must be hashed. Such details must e kept secret

Because there may not be a database in the picture and I do not want password and usernames stored in an easy to access configuration file. Is there a way to "Embed" these into an application. Meaning, I have seen Software sold online that accepts a Key to activate it for use. You can do this while offline. Tell me how they accomplish this without easily getting their software stolen.
Click to expand...
whoa; you started off talking about a login based system, not protecting your shareware from cracking attempts.. while a good few million triillion combinations would be pretty good to stop someone getting into your db in a simplistic login based system, i really dont think I would use it to create registration keys for software.. That's a whole ballgame tha thas its own forum here
 
Last edited:
Upvote 0 Downvote
Maybe you could help me decide. That was just an example of what I saw. What I am trying to do is "Embed" permissions into an application somehow. They will copying files and there are 5-6 backend processes associated with my application and it needs access to databases, web services, file shares, and FTP.

This is a big change in the system but all of the data comes from this application. I need to somehow "Embed" permissions into the application so that users no longer can mess up like they always do. But rather only give the application access to these things.

This application would reside in a file share and will only be visible to people that can use it. I want this application to have the appropriate access to everything on the network and not the user.

These applications are in VB6 and I know this may make things more difficult. But if I could userstand how to do it in theory and it seems easy I may want to create a utility that manages this entire group of applications in .NET or a single utility for each of these or research a tool that does this.

Thanks much for all the help, it is greatly appreciated!!!!! :D
 
Upvote 0 Downvote
I'm a bit lost..

Are you saying that the 5-6 processes that must be locked down are already present as exes in vb6?

I would recommend you write an app in VB.NET that:

Stores user permissions in a database
Starts the app for the user
Monitors running apps and kills any that the user has no permission for
Is protected from being killed itself by running as a service that restarts, and ensure that the user has no permission to end the service task by arranging windows permissions such that the user canot kill (certain) processes or stop services

User/pass isnt really necessary; just take the logged on user's name
 
Upvote 0 Downvote
just take the logged on user's name
Click to expand...

Although its not quite directly what you're asking, this is how I do my permission / securities.

2 of my apps I have a form that only certain staff members can access, and all I do is take the logged on username, check to make sure it's in a group in my Active Directory, if it is, open the form, if it isn't, display a messagebox.

VB.NET: 
Public Class Form1

[COLOR="Green"]'get the username[/COLOR]
Dim s As New Security.Principal.WindowsPrincipal(System.Security.Principal.WindowsIdentity.GetCurrent)

[COLOR="green"]'check Active Directory Group[/COLOR]
If s.IsInRole("ActiveDirectory\MyGroup") Then
dim frm as new Form2
frm.show
Else
messagebox.show("Sorry, you do not have adequate permissions to view this form", "Access Denied")
End If

...
...

End Class
 
Upvote 0 Downvote

Similar threads

M
  • Question
Error open SQL Database Visual Basic 2012
Replies
2
Views
635
jmcilhinney
jmcilhinney
RobertAlanGustafsonII
  • Question
Question If I'm using the WebBrowser control to display a web page with a download link, how can I ensure the download/install happens when link is clicked?
Replies
2
Views
1K
RobertAlanGustafsonII
RobertAlanGustafsonII
albusmw
  • Question
Lightwight inter-application communication
Replies
1
Views
511
jdelano
J
Z
  • Question
The Application Is In Break Mode Error
Replies
2
Views
458
zunebuggy65
Z
J
  • Question
I can see the Excel Workbook, but the WorkSheet methods etc don't work :(
Replies
4
Views
984
johnhoens
J

Share this page

Latest posts

Back
Top