User authentication for web database and strength of password...

Hi there.

I work on this web database with SQL Server back-end and classic asp/VB/Java script front-end. It's all on a dedicated Windows server I control almost a 100%. So far I used a login procedure where - at login - the page call a table in the database with user credentials and return a "Go" or "No" to proceed to other pages for logged in users only. A cookie is created at "Go" and will expire after an hour of inactivity. When expired, the user is returned to the login page.

Now... I have to implement a procedure:
Every 3 month a users password must be changed and live up to certain criteria like upper/lower case, number, special character etc.

Option 1: I can try to program something in VB?? (I need help or some good suggestions)

Option 2: I can skip the present concept and create all users on the server. To access the server a SMS pass code is required on top of the login credentials. But how can I implement the Windows Server authentication to the asp/VB coding?

I would be very happy for some support here. It's a little new territory for me.

And I'm sure it could work better with VB.NET, but that gotta wait some months. First I must make it work in classic asp/VB.

I look forward to some wise words. :-)

Best regards

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pawan KumarDatabase ExpertCommented:
You can have a table with UserName , Password, PasswordChangedDate...

So when ever user logs in we can check for the PasswordChangedDate and if that is 3 months old we will redirect the user to Change password page.
ullenulleAuthor Commented:
Hi Pawan.

Yes, that's an obvious solution, but it could be ideal to use the server credentials with SMS pass code... if possible?
Vitor MontalvãoMSSQL Senior EngineerCommented:
Do not reinvent the wheel. Use an active directory (AD) user as SQL Server login and then for your application use a trusted connection (windows security). This way you don't need to store any user credential information and let the AD to manage the connection.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SolarWinds® Network Configuration Manager (NCM)

SolarWinds® Network Configuration Manager brings structure and peace of mind to configuration management. Bulk config deployment, automatic backups, change detection, vulnerability assessments, and config change templates reduce the time needed for repetitive tasks.

ullenulleAuthor Commented:
Hi Vitor.

Sounds like option 2 I wrote about, but how to I implement that in the codes? Any examples?

Best regards

Vitor MontalvãoMSSQL Senior EngineerCommented:
It depends on the client you're using. In this article it presented examples for SQL Server OLEDB11.0:
David Johnson, CD, MVPOwnerCommented:
use identity  and enable 2 Factor Authentication. i.e. using Microsoft or Google Authenticator or any of the FIDO authenticators.

Never store the user password use a salted hash, iterate a few thousand times (depends upon the user load and available compute power) and store the hash.  I'd save the expiry date/time so you only have to do a simple comparision rathe than retrieve the set date and then doing a date difference and then compare it to 90
ullenulleAuthor Commented:
Thanks for your comments. I'll be back in a few days. :-)
Vitor MontalvãoMSSQL Senior EngineerCommented:
ullenulle, do you need further help on this question or it can be closed?
ullenulleAuthor Commented:
Hi guys.

I need a few more days. I've been travelling.

Best regards

Vitor MontalvãoMSSQL Senior EngineerCommented:
Ulrich, still travelling?
Vitor MontalvãoMSSQL Senior EngineerCommented:
Recommendation to close this question by accepting the above comments as solution.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.