<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
FONT-SIZE: 10pt;
FONT-FAMILY:Tahoma
}
</style>
</head>
<body class='hmmessage'>
<BR>
Here is somthing that I have done.<BR>
I haved created an encypted logon record structure<BR>
Each column has its own encryption keys.<BR>The QUICK user has read permission to this structure<BR>and the QUICK user can update it if he knows the<BR>the answer to the secret question.<BR>
The QUICK user can only update the password field and the set date.<BR>
This leaves creating an account for some other user.<BR>
The E_MAIL field was used as alternate key if the user forgot his user_name.<BR>
<BR> The structure is<BR> <BR>Logon_Info<BR> USER_NAME segment<BR>
PASSWORD segment<BR>
E_MAIL unique key<BR>
SET_DATE <BR> SECRET_QUESTION<BR> SECRET_ANSWER <BR>
<BR>On the first screen prompt for <BR>
the user name and password and encryted the entered values.<BR>
Lookup on LOGON_INFO<BR>
PROCEDURE INTERNAL ENCRYPT_DATE<BR>BEGIN<BR> T_DS = ASCII ( T_SET_DATE, 8 ) <BR> LET DECADE = DECADES[ (NCONV ( T_DS[3:1] ) + 1 ) : 1 ] <BR> LET YEAR = YEARS [ (NCONV ( T_DS[4:1] ) + 1 ) : 1 ]<BR> LET MONTH = MONTHS [ (NCONV ( T_DS[5:2] ) + 1 ) : 1 ]<BR> LET DAY1 = DAY1S [ (NCONV ( T_DS[7:1] ) + 1 ) : 1 ]<BR> LET DAY2 = DAY2S [ (NCONV ( T_DS[8:1] ) + 1 ) : 1 ]<BR> LET T_DATE_STRING = YEAR + DECADE + DAY2 + MONTH + DAY1<BR> LET T_DATE_STRING = ENCYPT ( ENCRYPT ( T_DATE_STRING, 'ZRWEFJBC') , 'TQHSTGCX')<BR>END<BR>
PROCEDURE INTERNAL DECRYPT_DATE<BR>BEGIN<BR> LET T_DATE_STRING = DECYPT ( DECRYPT ( T_DATE_STRING, 'TQHSTGCX') , 'ZRWEFJBC')<BR> LET DECADE = T_DATE_STRING[2:1]<BR> LET YEAR = T_DATE_STRING[1:1]<BR> LET MONTH = T_DATE_STRING[4:1]<BR> LET DAY1 = T_DATE_STRING[5:1]<BR> LET DAY2 = T_DATE_STRING[3:1]<BR> LET T_SET_DATE = 20000000 + &<BR> ( INDEX ( DECADES, DECADE ) - 1 ) * 100000 + &<BR> ( INDEX ( YEARS, YEAR ) - 1 ) * 10000 + &<BR> ( INDEX ( MONTHS, MONTH ) - 1 ) * 100 + &<BR> ( INDEX ( DAY1S, DAY1 ) - 1 ) * 10 + &<BR> ( INDEX ( DAY2S, DAY2 ) - 1 )<BR>; There should be a valid date check here in case something went <BR>; wrong. Also, the date should be less than SYSDATE. <BR>END<BR>
PROCEDURE DESIGNER RSPASS help 'Reset password' nodata<BR>BEGIN<BR> LET T_SECRET_QUESTION = decrypt secret question<BR> DISPLAY T_SECRET_QUESTION<BR> ACCEPT T_SECRET_ANSWER<BR> T_SECRET_ANSWER2 = encrpyt T_SECRET_ANSWER<BR> IF T_SECRET_ANSWER2 = SECRET_ANSWER OF LOGON_INFO<BR> THEN BEGIN<BR> ACCEPT T_PASS1<BR> ACCEPT T_PASS2<BR> IF T_PASS1 <> T_PASS2<BR> THEN error "Passwords do not agree. "<BR> LET PASSWORD of LOGON_INFO = ENCRYPT ( ENCRPYT( T_PASS1, 'YODGLZM' ), 'GHIKSNRW') ) <BR> LET T_SET_DATE = SYSDATE<BR> DO INTERNAL ENCRPT_DATE<BR> LET SET_DATE OF LOGON_INFO = T_DATE_STRING<BR> PUT LOGON_INFO<BR> COMMIT UPDATE<BR> LOGON_OK = 'Y'<BR> END<BR> ELSE ERROR "The answer is incorrect."<BR>END ; RSPASS<BR>
<BR>PROCEDURE INTERNAL PROMPT_LOGIN<BR>BEGIN<BR> LET LOGIN_OK = 'N'<BR> ACCEPT T_USERNAME<BR> ACCEPT T_PASSWORD<BR>; encrpt username & password<BR>GET LOGON_INFO via username , password optional<BR>If NOT ACCESSOK <BR> Then Begin <BR> IF ATTEMPTS < TRY_LIMIT <BR> INFO = "User name and/or password incorrect. Please try again"<BR> LET ATTEMPTS = ATTEMPTS + 1<BR> DO INTERNAL PROMPT_LOGON<BR> END<BR> ELSE BEGIN<BR> LET T_SET_DATE = DECRYPT_DATE ; decrypted SET_DATE of LOGON_INFO<BR> IF EXP_DAYS_PASSWORD < DAYS ( SYSDATE ) - DAYS ( T_SET_DATE )<BR> THEN BEGIN<BR> INFO = "Password has expired."<BR> PUSH RSPASS<BR> END<BR> ELSE BEGIN<BR> LOGON_OK = 'Y'<BR> IF WARN_DAYS_PASSWORD < DAYS ( SYSDATE ) - DAYS ( T_SET_DATE )<BR> THEN INFO = 'Password will expire in ' + &<BR> ASCII ( ( EXP_DAYS_PASSWORD - &<BR> DAYS ( SYSDATE ) + &<BR> DAYS ( T_SET_DATE ) ) + &<BR> ' days. '<BR>
ELSE NULL<BR> END<BR>
END<BR>END; PROMPT_LOGIN<BR>
<BR> <BR>
<BR>
<BR>
<BR><BR><BR>> Subject: Powerhouse Web Security<BR>> Date: Wed, 13 Feb 2008 12:48:52 -0800<BR>> From: Paul.M.Hodson@gov.bc.ca<BR>> To: powerh-l@lists.sowder.com<BR>> <BR>> We are looking at user authentication for our powerhouse web environment. We are currently using a table with ID's and Passwords but the management falls to IT. Would prefer that we use our clients as the point of contact and a more robust approach - more web like using question reminders and self-serve password resets.<BR>> <BR>> Any insight? Suggestion?<BR>> <BR>> Thanks,<BR>> Paul Hodson<BR>> <BR>> <BR>> <BR>> -- <BR>> = = = = = = = = = = = = = = = = = = = = = = = = = = = =<BR>> Mailing list: powerh-l@lists.sowder.com<BR>> Subscribe: &quot;subscribe&quot; in message body to powerh-l-request@lists.sowder.com<BR>> Unsubscribe: &quot;unsubscribe &lt;password&gt;&quot; in message body to powerh-l-request@lists.sowder.com<BR>> http://lists.sowder.com/mailman/listinfo/powerh-l<BR>> This list is closed, thus to post to the list you must be a subscriber.<BR>> Add 'site:lists.sowder.com powerh-l' to your search terms to search the list archive at Google.<BR><BR><br /><hr /> <a href='' target='_new'></a></body>
</html>