60. Hashing Passwords (Programming In Access 2013)
HTML-код
- Опубликовано: 18 май 2014
- Hashing Passwords in "Programming in Microsoft Access 2013". Hosted by Steve Bishop.
In this free beginner video tutorial series Steve will be going over Database Development in Access, creating the User Interface, and coding the backend of the application in Visual Basic for Applications (VBA).
Click here for the full playlist of "Programming in Access 2013"
• Programming in Microso...
Click here for the Work Files of this series:
github.com/Xipooo/Programming...
THIS is EXCELLENT! It is exactly what I needed and it clear, step-by-step. Well done and MUCH appreciated!
Thank you so much Steve! Very helpfull!
I was wondering if it's possible to automaticly encrypt the password.
It would be nice to make new users as admin and let the user change their password in their own controlpanel-like form.
Is that possible?
Hi..Steve..Nice work. i have been a fan of access long time ago.Much of muy learning comes form your video. My question is: How can i protect a database or a front end mdb to avoid copy to another pc.
Steve,
Thank you so much for this, and the other series on VBA and Access. They have been very helpful in fine tuning my own DB, especially the videos on securing it. Today, I am going to take a stab at offering users a way to, and forcing the first, change their password, as well as creating an Admin form for creating a new user. I thought that before I get too deep in mucking it up, I'd ask if you have such a video that includes inputting, hashing, and storing the password?
Thanks in advance.
Patrick Glose No videos that specifically go over this process, but you can piece it together based on the collection of videos.
Спасибо, братан! Ты уже как родной.
I love your Combox Login but now I can't do Hashing and also the User Authorization. Hope you could do a short video on both. More power.
Thanks Steve ..
I have a question please ..
Can I store any image in Access as a Binary or hashing or any way?
I just found this magnificent chapter and I have a question, Steve or anyone with VBA experience.
What code do I add to be able to replace the password written with the encrypted on the table after updating that password field? I created a form from the table (employees_frm) so it has the same fields. I just want to be able to encrypt the password after updating the password field with the encrypted one.
I'm trying to implement the hashing technique, however, every time I run the code the result is given back on scientific notation and not a "long series of numbers", how can I change that since the value that is store in my table will look like "1.2323232E+29" rather than the long number? I think this is due to an option of configuration in access, I'm using access 2013.
Ok so i did all this but how do i remove the access customize quick access toolbar that's in the top left corner?
Love the videos by the way, very informative.
Hi all, please help.
I have a table with customers and a table with inventory, no relationship between the 2. I created a 3rd table with customer,
item and a yes/no field.
I need a form where I could select a customer, see all the records in the inventory table and then I want to select only the
records from inventory that is applicable to the specific customer.
How do I go about? relationships created between the three tables, tried outer join,
then I could not select yes/no.
Nice video. But how do I integrate bcrypt to hash my passwords? So with per/user per/password also a different salt, even if the password is the same for multiple users?
How can you make that long random character text automatically save to the table when you're creating a new user in your user registration form? I don't want to have to go in everytime user is created and create the encrypted text myself. I also want the user to be able to change their password (normal text) and have that again automatically update in the table. Pointers? Did I totally mis-understand the point of this?
i know this video is a few years old but I successfully hashed the passwords in my users table but I am having issues on if they want to change their password. I don't want to change the passwords for them. how can I have it so when the user changes the password it encrypts it automatically. I saw a post on here on how to change the password but I am confused on how to set it up. Any help will be greatly appreciated.
Hi Steve,
How do yo write code to combine the Encrypt function with the needed Nz so the password field does not work when it is left empty.
Thanks for yor videos.
+Julio Iglesias You can wrap the password textbox in an nz function, then wrap that with the encrypt function. Encrypt(Nz(me.txtPassword))
Hi Steve,
Thank you very much for sharing such great job. I tried as you explained in this video and it works perfectly.
Nevertheless, I want to move to next step by implementing on the form where I record new user or change their password.
I mean, instead of changing the password by ?Encrypt("password"), I want it from Access form while adding new user or changing is password.
I tried couple events, but I'm stuck.
Can you have some advice?
Thanks in advance.
I came over the issue:
Option Compare Database
Private Sub txtConfirmer_LostFocus()
' Check if both passwords are the same
If Me.Mot_de_passe Me.txtConfirmer Then
MsgBox "Les deux mots de passe ne sont pas identiques. Veuillez recommencer.", vbExclamation, "Confirmation mot de passe"
Me.txtPWDClair.SetFocus
Me.txtPWDClair.Text = ""
Me.txtConfirmerClair.SetFocus
Me.txtConfirmerClair.Text = ""
End If
End Sub
Private Sub txtConfirmerClair_LostFocus()
Dim sPWD_Confirm As String
On Error Resume Next
sPWD_Confirm = Encrypt(txtConfirmerClair.Text)
Me.txtConfirmer.SetFocus
Me.txtConfirmer.Locked = False
Me.txtConfirmer.Text = sPWD_Confirm
Me.txtConfirmer.Locked = True
Refresh
End Sub
Private Sub txtPWDClair_LostFocus()
Dim sPWD As String
On Error Resume Next
sPWD = Encrypt(txtPWDClair.Text)
Me.Mot_de_passe.SetFocus
Me.Mot_de_passe.Locked = False
Me.Mot_de_passe.Text = sPWD
Me.Mot_de_passe.Locked = True
Refresh
End Sub
+Flory Kirongozi Here is my advice. You NEVER want to expose the password. Therefor you never decrypt it. You should only be comparing the stored encryption to an encrypted version of what they type in the box. If they match, then the user can change it to another value they put in another textbox.
Programming True, I didn't decrypt. The tips is that I created two txtboxes for password. One is unbound (txtPWDClair) and other is linked to table. The encrypt function is behind "unbound" then send it result to table. On the login form, the linked password text box has size 0.01. It works.
Hi,
Great videos & I'm learning lots. However on this section I would like to add some feedback:
The hashing example isn't right for a few reasons. In simple terms a hash is typically generated by a "one-way" function, ensuring that if one gets hold of the hash value it's not possible to reconstruct, ie go the other-way, and recover the password.
The hash, when performed would generate the same output for the same input, so if two users share the same password they'd also share the same hash. To overcome someone hashing typical passwords and comparing these with, say the hashed values someone had stolen from the db, adding Salt, ensures that the hashed outputs are much strong and resistant to brute force lookups.
So I use a form with three fields, a username, password_1, and password_2. Cancel & OK buttons.
The input fields should be validated, i.e. ensuring username is not blank, and that password_1 is equal to password_2. One could also ensure the password entered met some quality policy, such as minimum of 8 characters, no longer than 32 characters, includes upper case, lower case, has some numbers in it etc.
Salt can be set to a combination of Username and say a fixed string concatenated together (or even a hashed username!). It would have to be static, not changing between executions, so don't use a varying value like the date.
Then I run the functions below from:
Password_HMAC_SHA512 = Base64_HMACSHA512(Password_PT, Salt)
Oh. worth saying I had to add Microsoft XML v3.0 to resources. Save the Password_HMAC_SHA512 in the passwords table & use there on in. Hope this was useful & thanks for the access course!
Public Function Base64_HMACSHA512(ByVal sTextToHash As String, ByVal sSharedSecretKey As String)
'source: stackoverflow.com/questions/8246340/does-vba-have-a-hash-hmac/10068932#10068932
Dim asc As Object, enc As Object
Dim TextToHash() As Byte
Dim SharedSecretKey() As Byte
Set asc = CreateObject("System.Text.UTF8Encoding")
Set enc = CreateObject("System.Security.Cryptography.HMACSHA512")
TextToHash = asc.Getbytes_4(sTextToHash)
SharedSecretKey = asc.Getbytes_4(sSharedSecretKey)
enc.Key = SharedSecretKey
Dim bytes() As Byte
bytes = enc.ComputeHash_2((TextToHash))
Base64_HMACSHA512 = EncodeBase64(bytes)
Set asc = Nothing
Set enc = Nothing
End Function
Private Function EncodeBase64(ByRef arrData() As Byte) As String
'source: stackoverflow.com/questions/8246340/does-vba-have-a-hash-hmac/10068932#10068932
Dim objXML As MSXML2.DOMDocument
Dim objNode As MSXML2.IXMLDOMElement
Set objXML = New MSXML2.DOMDocument
' byte array to base64
Set objNode = objXML.createElement("b64")
objNode.DataType = "bin.base64"
objNode.nodeTypedValue = arrData
EncodeBase64 = objNode.Text
Set objNode = Nothing
Set objXML = Nothing
End Function
I hope you understand that the intent of this video was not to provide a complete hashing process. It is a beginners course and so the most simple and basic of strategies has to be employed here. I agree, it's not the most secure or best way to secure a password, but for the people just watching this series it was an appropriate solution.
I know this is a very old post, but I can't get your Function to work, I get user defined type not defined on line objXML As MSXML2.DOMDocument, am i missing the import? if so then how do you do it?
Hi, thanks for all the great video`s, really helping me a lot!!!
2 questions,
1 - Do you know how to make a license code security wich asks for renewall after a period ( like 1 year) and locks the application when the period expires...?
2 - Do you know how to resize a pop-up window where the content inside also resizes so that all content is visible...?
1 - Yes, but it's not entirely easy. First you want to store the date it was registered via some encrypted value stored in a hidden table. Then, each time the application is opened you want to decrypt that date and compare it to today's date. If it is older, then it is expired. To register I make a form where the user has a key generated by an encryption algorithm (typically includes their machine ID as part of the encrypted string), then I poses a key generation algorithm personally that is not distributed with the code but rather than I have personally. It takes the key they entered, that key along with an additional value is re-encrypted and sent back to the user as the "registration key". Then if that registration key matches what the expected key should be in their registration form the application is registered. The best way to do this is for the registration form to ask a WebAPI if the key matches otherwise you end up putting the logic in the application that could be used to figure out the key. Also, you should only distribute the file as an accde file so that the users cannot look at the VBA code.
2 - Yes. That's what the Anchoring is for under the Arrange tab when you have the form open in design view.
Thanks for the reply, when i use anchoring it stretches my textboxes all the way out and when i make the window smaller it just stops making content smaller and leave it outside the window so i cant see it anymore.... or im doing it wrong.... ?
You don't want use the anchoring that causes stretching. Use the other anchoring options.
Hi Steve,
I would like to present in the screen the current user.
I have not been able so far.
Your kind help with a line or two of code, will be much appreciated.
Thanks for your videos. They are a source of wisdom, for those that are beguining on this arid "VBA" road.
+Julio Iglesias When the user logs into the login screen, simply store the username in a TempVars variable. Then you can reuse that tempvars variable everywhere you want to show their name.
I download the test files but when i try to open the front end database i get an error because it is looking for the backend database on your computer and I have no way to change it. I get this error after i enter the password
Nevermind. I figured it out from watching one of the earlier videos on securing the front end
How would you use this to allow a user to Chang their password and automatically hash the new password say if someone forgot their password
Just pass the new password through the encrypt function to get the new encrypted password. BTW, this really isn't a full fledged encryption process. This is just a demonstration of a very basic hashing. You should look for a more complex encryption scheme.
how would you place the hashed pasword back into the password column?
+Philip Mcsparron I don't understand the question.
Hi Steve, I'm worried my users might forget their passwords and I'd have no way to retrieve it. I suppose the best solution is to simply create a new one for them. Do you have any other suggestions?
By the way, I LOVE this series! Thank you for all of your hard work in making it!
Erin Martineau I would not put a decryption process in the application because that opens you up to anyone with some VBA knowledge getting all the info they want. Don't forget you can import things like forms, reports, modules, etc to another database. They could easily import your "decrypt" function and start to go to work on your users table.
It's best to just compare an encrypted value of the password they entered in the password box with what is stored for their user name.
I don't think that was what they were asking, they were asking about a password reset form
@@ProgrammingMadeEZ Well they can't really import that stuff if you make an ACCDE file
Hi, I'm trying to implement the hashing method used above but i'm getting an error message. just followed the instructions but when i enter ?encrypt("password") in the immediate dialog im getting an error message. could you help me?
Perhaps it would help if you told us what the error is.
Programming I have the same problem as Joost. The problem is as follow:
Compile Error:
Sub or Function not defined
I've also noticed that the word "Public Const Salt As Long = 543211234" is highlighted in red. Can you please help me?
I notice that you paste the code in global models
whats that ?
and how I do it like you did
I am student ,so kindly help me
+Rawan alghamdi Yes, I have a module called globals that I generally put methods and variables in which I feel I need to use across the entire application. There is nothing special to it, it's just a module.
+Programming Thank U
Officially I am a fan
For people who knows something about cryptography this video was like... oopsie... two main things: hashing is not an encryption and salt is not second term for password... but anyway I understand what teacher wanted to say so it's OK... for less skilled people it could be a bit confusing though
You are absolutely right. I messed this up and it will have to be in my new 2016 course.
Anyway it was a great course, thanks for all the hard work!
Uriel, unfortunately I am not able to reply to your question directly. RUclips doesn't give me a reply option, so hopefully you see this.
Chances are the field you created to hold the value is numerical instead of string/text. Either that or you are doing some sort of mathematical calculation on the value producing a longer number than Access can show without using scientific notation.
Hi Steve, I'm pretty sure you are the right person to help me out with this even though it is an Excel problem...
I built a MSForm which is meant to work as a status bar all over the top of my app when I want to show a message. I have set up all its properties as a non-modal form so that when it opens the user is able to work with the workbook which is partially done because when the form shows up while the user is using the keyboard (arrows) in order to navigate through the sheet, the form get the focus and the user has to click outside of the form in order to keep working on it. I have tried lot of things without success and I think it is time to ask for help. Any idea would be greatly appreciated
Ricardo Barrera Well if you think about it any code that you have won't work while other code is running. Access (and Excel) do not have multi-threading like .NET applications do. You're suck with only running one process at a time.
Programming Thank you Steve. I know you know a lot about it. But, this time I have to say that your thoughts aren´t totally right since I found a workaround (without loving it) that is just coding "a mouse click" from VBA and it works fine. The unique think that I don´t like too much is that I have to get the exact position of the cell the user was in when the form poped up. I have done enough research about it and I definitely ended up saying that as long as it works I don't have to worry about it. But, believe me, I DO REALLY APPRECIATE YOUR TIME. Thank you very much!
Ricardo Barrera I would be very interested to see how the code is running and allowing you to do other code at the same time. VBA does not have multi-threading so simultaneous processing is not possible. You must be doing something within your code to only periodically interact with the progress form.
You forgot to mention your close button...
Jaz Isom Eh... not really that important, but you can just edit the on click event to do docmd.close.
Noted... Thanks.