First Published 7 May 2023
This article was prompted when I was approached by the author of a thread at AccessForums.net: Access login to be case sensitive
By default, Access is case insensitive
That means comparing e.g."mypassword" with "MyPaSsWorD" returns True although they are clearly different.
This is useless when running password validation checks
When you need to do a case sensitive check, use the StrComp function with the binary comparison option
Syntax: StrComp(string1, string2, vbBinaryCompare)
For example: StrComp(EnteredPasswordString, StoredPasswordString, vbBinaryCompare)
The output will be -1, 0 , 1 or Null depending on the two string values.
Output = 0 means both strings are IDENTICAL including the case of each character and passes the validation check.
Any other output indicates differences so the check should fail
For more details, see the Microsoft Help article on the StrComp function
However, there is a better approach with an important additional step that will also make your passwords more secure
Passwords should NEVER be stored unencrypted in a database.
If anyone gains access to user passwords, you will have major data protection issues. Don't risk it!
Ideally, check usernames and passwords against the active directorywhich is designed to be secure. If so, a login form is NOT normally needed.
However, if you do want to utilise a login system, encrypt the passwords with a suitable encryption method such as SHA or RC4.
See my example database: Password Login with Session Login Information which uses RC4 encryption.
To do this, each password is stored encrypted using the function RC4(PasswordString, RC4_Key) where RC4_Key is the encryption string.
This also has the benefit of giving different results depending on the case used for each character in the string. For example:
4 variations of the password 'OpenSesame' encrypted using RC4 with the encryption key 'isladogs'
?RC4("opensesame", "isladogs")
ÌÂ~—KkÙ±
?RC4("OpenSesamE", "isladogs")
ìÂ~·KkÙ‘
?RC4("OPENSESAME", "isladogs")
ì0â^·kKù.‘
?RC4("oPeNsEsAmE", "isladogs")
Ì0Â^—kkù‘
If you look carefully, all of these are subtly different
Then your password check process should do a binary comparison of theencrypted version of the entered password with the stored password.
The following code is a simplified version of the password validationcheck in my Password Login example database.
CODE:
Dim Attempts As Integer
'Check if encrypted version of entered password matches encrypted stored password
'use StrComp to do case sensitive password check
'output = 0 means both values are identical. Outputs of 1, -1 or Null all fail test
'Allow 3 attempts to enter correct password
If StrComp(Me.txtPWD, strPassword, vbBinaryCompare) <> 0 Then
Attempts = Attempts + 1
Select Case Attempts
Case 1
FormattedMsgBox "Invalid Password " & _
"@NOTE: Passwords are case sensitive. Please try again @", vbInformation + vbOKOnly, "Password Error"
Me.txtPWD = ""
Case 2
FormattedMsgBox "You have entered an incorrect password TWICE " & _
"@You have ONE more attempt left @", vbExclamation + vbOKOnly, "Password Error"
Me.txtPWD = ""
Case 3
FormattedMsgBox "You have entered an incorrect password THREE times " & _
"@The application will now close @", vbCritical + vbOKOnly, "Password entry failed"
Application.Quit
Exit Sub
End Select
Else
'password matched - enable login button
CmdLogin.Enabled = True
End If
NOTE:
The RC4 function code is supplied with the Password Login example database.
It is also an integral part of my Encrypted Split No Strings security challenge article elsewhere on this website.
Feedback
Please use the contact form below to let me know whether you found this article interesting/useful or if you have any questions/comments.
Please also consider making a donation towards the costs of maintaining this website. Thank you
Colin Riddington Mendip Data Systems Last Updated 7 May 2023
|
Return to Code Samples Page
|
Return to Top
|