Hi All,

Just wondering if it's possible to create a User in EDB that would use
characters or something that people can't physically type using a
standard keybaord. At least not without alot of hassle ?

Reason I ask is, I want a way for support staff to be able to reset
passwords for users without having fixed logins. (i.e one support person
maybe looking after 100 clients sites)

I'm going to have a revolving code based partly on current date and
other things, they enter this changing code, which then uses the non
typable user to gain access and reset certain passwords.

I hope that makes sense.

Thanks,

Phil.

How do you plan to type it into your program in the first place ?!

You could use characters that are not on regular US keyboard (for
example Alt+0223) if clients are in US. Or even see if you can enter
non-printable ones (meaning ones below ascii 32).

However one can use Character Map utility to build any kind of a string
and then just copy it to clipboard or if i know what the password is
enter it using codes so trick will be to hide the password.

Raul


On 9/12/2012 7:56 PM, Phil wrote:
> ust wondering if it's possible to create a User in EDB that would use
> characters or something that people can't physically type using a
> standard keybaord. At least not without alot of hassle ?
>
> Reason I ask is, I want a way for support staff to be able to reset
> passwords for users without having fixed logins. (i.e one support person
> maybe looking after 100 clients sites)
>
> I'm going to have a revolving code based partly on current date and
> other things, they enter this changing code, which then uses the non
> typable user to gain access and reset certain passwords.
>
> I hope that makes sense.

Phil


Its easy to create, and log in using software - any old characters will do since its just a string field. However, depending on how complex you make it, it will be extremely difficult for even authorised people to log in.

I can foresee a number of problems eg:

how are you going to log in to set up this password - or is this an example of recursion
entering the password would need a special utility or lots of patience as they use alt and the number pad
if any of the users get hold of ElevateDB and have the right access level they can view the passwords

Personally I would have a utility app, a user with an impossible to type password, and when the app is run have a two or three level additional authentication built in. That could have a variable security system providing that the support person using it could easily (ie without visible pencil and paper) work out the password.

eg:

level1 - add day, month, year and enter the result
level2: - enter own id & password
level3: - add day & hour & month and enter result

Roy Lambert [Team Elevate]

Phil wrote:

>>Just wondering if it's possible to create a User in EDB that would use
>>characters or something that people can't physically type using a
>>standard keybaord. At least not without alot of hassle ?

Why not just do an MD5 on the password with a salt? EDB does something like this internally before storing the password, but there is nothing preventing you from doing this before EDB gets the password. You can restrict certain forms to use this MD5 fcn which makes it very hard for other forms to replicate it.

If you want to make things really difficult for people, you could store this MD5 function on a thumb drive that you carry with you and the MD5 calculation is NOT calculated in your forms at all. You have to run the password like "secret" through the thumb drive application to get a 32 character string and then copy and paste it into the password screen.

There is an excellent free online password generator called LastPass.com that will not only generate a cryptic password for a website, but will automatically log you in (after you authenticate). If you're not using LastPass for storing login passwords for websites, you should at least consider using it. It is very good and also very portable.

Barry

Barry,

I'm not sure this would work for Phil's scenario - AFAIK he wants to use
a "special" user in all his EDB installs that can reset other users
passwords.

The support staff can use his utility app with rotating daily password
but then that utility app just uses the "special" login.

How does one protect the "magic" login from users while still allowing
the exact same user to run the utility app ?

Raul

On 9/15/2012 12:17 PM, Barry wrote:
> Phil wrote:
>
> Why not just do an MD5 on the password with a salt? EDB does something like this internally before storing the password, but there is nothing preventing you from doing this before EDB gets the password. You can restrict certain forms to use this MD5 fcn which makes it very hard for other forms to replicate it.
>
> If you want to make things really difficult for people, you could store this MD5 function on a thumb drive that you carry with you and the MD5 calculation is NOT calculated in your forms at all. You have to run the password like "secret" through the thumb drive application to get a 32 character string and then copy and paste it into the password screen.
>
> There is an excellent free online password generator called LastPass.com that will not only generate a cryptic password for a website, but will automatically log you in (after you authenticate). If you're not using LastPass for storing login passwords for websites, you should at least consider using it. It is very good and also very portable.
>
> Barry
>