Version 5.6 Approx 0.8 MB First Published 21 Nov 2018 Last Updated 6 May 2023
This is an updated version of another old utility written by David Crake which was originally posted as a sample database at Access World Forums.
I have updated it following a request by MarcusGR in this thread at Access World Forums
The utility has been converted to ACCDB format and the code modified so it will work in any version of Access from 2007 onwards (32-bit or 64-bit).
Other changes made in this latest version include:
1. The original MDB version used a weak form of XOR encoding for user passwords - very insecure.
This version uses 128-bit RC4 encryption for much stronger protection of passwords.
The password cipher in the example app is 'isladogs'
This cipher can (and SHOULD) be changed in module modEncryption
2. Added a new user form including various optional settings:
a) User access level (1/2/3) with default = 1 (standard user)
b) Password expiry (days) with default=0 (never expire)
c) Change own password (yes/no) with default=no
For security, new users must enter their own password at first login
3. The Login button remains disabled until the password has been validated
The validation check includes:
a) Password expiry date (if any)
b) Users logged in on another computer – blocked from logging in again
c) Users still logged on current computer – the previous session is ended so that a new login is possible
d) The password check is now case sensitive (added version 5.6)
e) When the password is changed, the new password cannot match the previous password. Change of case isn't allowed here.
Further information about the app is given in the various forms supplied with this utility
The session log form (for system admins only) shows a list of currently logged in users:
The supplied example app has 6 users so the system can be tested:
a) Billy is not active so won’t appear in the drop down list
b) Jill has no password set so you will be prompted to enter a password
c) Tommy has an expired password - you will be prompted to enter a new password
d) All other users (Delilah / Jack / Samson) can login normally
For strong and effective password security in a production database you should:
1. Use a split database with an encrpted backend file containing all tables (including passwords)
2. Store the RC4 cipher itself in a hidden table or class module, encrypted using a different system!
3. Ensure users have no access to tables
4. Insist on passwords of a minimum length such as 8 characters to include at least
one of each of the following: capital letter, small letter & number, special character
5. Insist that passwords are not written down or e.g. stuck to users' monitors!
A skilled and determined hacker could, given sufficient time, still eventually crack the passwords.
For that reason, it is far better not to store the passwords in the same database.
Instead, use a secure system such as active directory to manage user logins
v5.1 - 24/01/2019 - Fixed invalid use of null error at first login
v5.2 - 05/01/2020 - Fixed date errors in frmLogin causing errors 3075/3061 for some users
v5.3 - 17/02/2020 - Fixed further date error overlooked previously
v5.4 - 10/02/2021 - Removed 2 duplicate declarations from frmNewUser
v5.5 - 24/04/2023 - Fixed issue for non-English language users. Replaced boolean field for ChangePWD to a byte integer field. Tested in Spanish & English.
Thanks to Pedro Moreno Rodriguez for alerting me to the issue
v5.6 - 06/05/2023 - Password validation check is now case sensitive
For more details, see my article Case Sensitive Password Validation
Click to download: Password Login v5.6 (zipped)
Please use the contact form below to let me know whether you found this article interesting/useful or if you have any questions/comments.
Also, do let me know if you find any bugs in the application.
Please also consider making a donation towards the costs of maintaining this website. Thank you
Colin Riddington Mendip Data Systems Last Updated 6 May 2023
Return to Example Databases Page
Return to Top