Checking User's Password using the MSAccess security model 1

[LittleSmudge]

I have many databases set up using the standard Access Security Model.

There are two things that I need to do using a similar piece of code - that works in some dbs and clearly does not work in others.

Thing 1) Allow users to change their password

Thing 2) Allow a user to 'sign' a record in a certain table by requiring them to enter their password and verify it against the password in the Security.mdw file.

The code I use for Thing 1) is
DBEngine(0).Users(CurrentUser()).NewPassword Nz(txtOld, "&quot, Nz(txtNew, "&quot

The code I use for Thing 2 is
DBEngine(0).Users(AuthorisedBy.Column(2)).NewPassword Nz(txtVerify, "&quot, Nz(txtVerify, "&quot

The code should throw a 3033 Error if the original password is incorrect. however in some databases the code reliably ignores the check and sets the password to the new value regardless of the old - WORRYING.

Does anyone know WHY -
Or does anyone have a more reliable chunk of code to do the same thing ?







G LS
spsinkNOJUNK@yahoo.co.uk
Remove the NOJUNK to use.

 

[HomeALone]

I recently use this ADO example code to allow user change their password.

http://support.microsoft.com/?kbid=304319

In addition, my error handler does this when it encounter error 3033, make sure you don't

On error goto CmdChange_err

codes. . .

CmdChange_err:
If Err.Number = 3033 Then
MsgBox "You have entered the wrong old password, please try again! ", vbOKOnly, "Wrong Password"
Me.txtOldPassword = ""
Me.txtOldPassword.SetFocus
Me.txtNewPassword = Null
Me.txtVerifyPassword = Null
Else
MsgBox Err.Description & " " & Err.Number
End If

 

[HomeALone]

Actually, the error code for ADO is -2147217911, not 3033, so the code should be

CmdChange_err:
If Err.Number = -2147217911 Then
MsgBox "You have entered the wrong old password, please try again! ", vbOKOnly, "Wrong Password"
Me.txtOldPassword = ""
Me.txtOldPassword.SetFocus
Me.txtNewPassword = Null
Me.txtVerifyPassword = Null
Else
MsgBox Err.Description & " " & Err.Number
End If

 

[LittleSmudge]

Thanks HomeAlone.

I'ts been a bug bear for a long time having to link in DAO3.6 just for the password checking.

ADOX is already linked for other reasons - so I'm glad to find an ADO solution to this problem.

Have a star for knowing where to point me to.





G LS
spsinkNOJUNK@yahoo.co.uk
Remove the NOJUNK to use.

 

[LittleSmudge]

I've have a carefullook at the code in the reference you provided HomeAlone - and it just doesn't do the job.

There is a little comment in the middle of the code that gives a hint as to why.

If the current user is in the admins group and is resetting or changing another user's password then the OLD password is not required.
Therefore, any user in the admins group would be able to 'sign' the record for anyone else becuse the don't need to know the old password.

What's even worse - is that is someone does 'sign' with a random string of characters instead of the real password - the actual paassword is CHANGED to that random string.


ALSO, if you look at the code carefully, the Administrator has to enter their password on the sample form, but no-where in the code is this password verified. Therefore this form allows anyone to change or reset the password of any user one the database is opened by a member of the Admins group.





G LS
spsinkNOJUNK@yahoo.co.uk
Remove the NOJUNK to use.