Link to home
Start Free TrialLog in
Avatar of d4jaj1
d4jaj1

asked on

Real Database Security

I have an app that uses password protected Paradox tables.  Currently, the user is prompted with a password dialog and I use the AddPassword method to open the tables.  I also give the user the ability to change thier password.

I'm using a table to store three password records (the user password, the administrator password and a reset password) in two fields - UserPassword & SystemPassword.  The password dialog box finds the textbox value in the table's UserPassword field, then assigns the SystemPassword to the session.

The Problem is - this is really dumb!  It works very well, but in terms of security, anyone could open the password table (it's not protected) and get the real passwords.

What is a better way to REALLY secure my application, but still allow the user to change and reset their password (this is why I didn't hard code it).  This is a stand-alone app, so no answers telling me to restrict access to drives, etc.
ASKER CERTIFIED SOLUTION
Avatar of Nuno Alves
Nuno Alves

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of d4jaj1
d4jaj1

ASKER

Sounds pretty good but, I don't know how to 'sum the ascii code' in the table.  If I chnage the text somehow, wouldn't my program fail everytime it searched for the password - which is a string?  Can you help?
You have access to the passwords table. What you could do is build a little function to read the passwords one by one and sum the ascii code of the word that you selected(use the function ORD to know the ascii code of a letter and then with the sum with CHR function you transform the ascii code in character). Then save the new word.
After, when a user give the password, you encrypt it and then you have the same word that is in the table, so you can compare.
This is what you could do:

     user_pass --> original password
   + pascalpas --> word you selected "pascal"
     ---------    
     erfrgrh23 --> save this in the table