verify windows password?

**Arno R** · Jun 11 '07, 05:35 PM

Re: verify windows password?

"diane" <diane.pittman@ verizon.netschr eef in bericht news:1181581816 .098612.300370@ p77g2000hsh.goo glegroups.com.. .

I've got an application running with table-based security: i capture
the user's windows login with fOsusername, then have them enter a
password checked against their username/login in my own table. The
problem is, they can't remember the passwords they've created, and I
spend more time than I want to resetting.

Here's what I'd LIKE to have happen: when the user opens the
application (Access2k), a dialog box appears with the windows login
name of the currently-logged in user (I can do this part), and they
have to enter their WINDOWS password, which some windows api verifies
for me so I can allow or not allow them in.

Is there a way for windows to verify the password for me? I can't
seem to find anything on this; all I get are directions to
fOsusername, which is only the first half of my battle.

Thanks for any help you can give me.

What's the use ??
If they are allowed to the program when 'properly' logged on in Windows, then why bother ??
Are you concerned about users using 'other persons' workstation ??
What when they leave the program open when they are gone for lunch ??

The problem is, they can't remember the passwords they've created,

If they can remember the Windows password ... then let the users deal with his/hers password.
I mean: Use the Windows-logon-password in your table and let the user change the password.
(e.g. when they are forced to renew the password.)
But:
What's the use ??

Arno R

**DavidB** · Jun 11 '07, 05:45 PM

Re: verify windows password?

On Jun 11, 1:29 pm, "Arno R" <arracomn_o_s_p _...@planet.nlw rote:

"diane" <diane.pitt...@ verizon.netschr eef in berichtnews:118 1581816.098612. 300370@p77g2000 hsh.googlegroup s.com...
>
>
>
>
>

I've got an application running with table-based security: i capture
the user's windows login with fOsusername, then have them enter a
password checked against their username/login in my own table. The
problem is, they can't remember the passwords they've created, and I
spend more time than I want to resetting.

>

Here's what I'd LIKE to have happen: when the user opens the
application (Access2k), a dialog box appears with the windows login
name of the currently-logged in user (I can do this part), and they
have to enter their WINDOWS password, which some windows api verifies
for me so I can allow or not allow them in.

>

Is there a way for windows to verify the password for me? I can't
seem to find anything on this; all I get are directions to
fOsusername, which is only the first half of my battle.

>

Thanks for any help you can give me.

>
What's the use ??
If they are allowed to the program when 'properly' logged on in Windows, then why bother ??
Are you concerned about users using 'other persons' workstation ??
What when they leave the program open when they are gone for lunch ??
>

The problem is, they can't remember the passwords they've created,

>
If they can remember the Windows password ... then let the users deal with his/hers password.
I mean: Use the Windows-logon-password in your table and let the user change the password.
(e.g. when they are forced to renew the password.)
But:
What's the use ??
>
Arno R- Hide quoted text -
>
- Show quoted text -

The use seems quite obvius to me. He wants user level security but
wants the password and id for ecah user to be the users windows login
id/password. A rather easy concept IMHO.

**diane** · Jun 11 '07, 05:45 PM

Re: verify windows password?

On Jun 11, 1:29 pm, "Arno R" <arracomn_o_s_p _...@planet.nlw rote:

"diane" <diane.pitt...@ verizon.netschr eef in berichtnews:118 1581816.098612. 300370@p77g2000 hsh.googlegroup s.com...
>
>
>

I've got an application running with table-based security: i capture
the user's windows login with fOsusername, then have them enter a
password checked against their username/login in my own table. The
problem is, they can't remember the passwords they've created, and I
spend more time than I want to resetting.

>

Here's what I'd LIKE to have happen: when the user opens the
application (Access2k), a dialog box appears with the windows login
name of the currently-logged in user (I can do this part), and they
have to enter their WINDOWS password, which some windows api verifies
for me so I can allow or not allow them in.

>

Is there a way for windows to verify the password for me? I can't
seem to find anything on this; all I get are directions to
fOsusername, which is only the first half of my battle.

>

Thanks for any help you can give me.

>
What's the use ??
If they are allowed to the program when 'properly' logged on in Windows, then why bother ??
Are you concerned about users using 'other persons' workstation ??
What when they leave the program open when they are gone for lunch ??
>

The problem is, they can't remember the passwords they've created,

>
If they can remember the Windows password ... then let the users deal with his/hers password.
I mean: Use the Windows-logon-password in your table and let the user change the password.
(e.g. when they are forced to renew the password.)
But:
What's the use ??
>
Arno R

I am in fact concerned about people using others' workstations--this
is a pretty sensitive application. I am also concerned with
appearance--users feel more confident that an application is secure
when they have to enter a password, and these users pay my
salary! :) But whether of not you think what I want to do is
"useless," what I'm interested in is, can it be done?

**Rick Brandt** · Jun 11 '07, 06:05 PM

Re: verify windows password?

diane wrote:

I am in fact concerned about people using others' workstations--this
is a pretty sensitive application. I am also concerned with
appearance--users feel more confident that an application is secure
when they have to enter a password, and these users pay my
salary! :) But whether of not you think what I want to do is
"useless," what I'm interested in is, can it be done?

It is true that if a user is silly enough to log onto Windows and the
company network and then walk away from their PC that someone else could
walk up to that PC, open your application, and then be able to access stuff
that they should not.

BUT...
Wouldn't a user silly enough to do that also be silly enough to open your
app, log onto it using your home-cooked security, and then walk away from
his PC, creating the exact same situation? I fail to see how adding another
password verification really accomplishes anything beyond just using the
Windows user name that you already have.

Most IT Security people would consider ANYTHING that asks a user for his
Windows password other than the OS itself to be a BIG security problem.
Your application would then be free to do anything with that information.
You are creating a security problem, not solving one if you go this route.

--
Rick Brandt, Microsoft Access MVP
Email (as appropriate) to...
RBrandt at Hunter dot com

**diane** · Jun 11 '07, 06:15 PM

Re: verify windows password?

It is true that if a user is silly enough to log onto Windows and the

company network and then walk away from their PC that someone else could
walk up to that PC, open your application, and then be able to access stuff
that they should not.
>
BUT...
Wouldn't a user silly enough to do that also be silly enough to open your
app, log onto it using your home-cooked security, and then walk away from
his PC, creating the exact same situation? I fail to see how adding another
password verification really accomplishes anything beyond just using the
Windows user name that you already have.
>
Most IT Security people would consider ANYTHING that asks a user for his
Windows password other than the OS itself to be a BIG security problem.
Your application would then be free to do anything with that information.
You are creating a security problem, not solving one if you go this route.
>
--
Rick Brandt, Microsoft Access MVP
Email (as appropriate) to...
RBrandt at Hunter dot com

One, re the "silly user" issue: Our users remain logged in to their
machines all day and are in & out of their offices. I am mostly
concerned with making sure their secretaries or underlings are not
given the opportunity to walk in & open the application and view
sensitive data. My users are sufficiently concerned with the privacy
of this data to make sure that they do not leave the application open
on the desktop when they walk away, and they don't use it every day in
any case.

Two, re Windows security: I'm not trying to GET the users' passwords,
only to verify that they have entered them correctly. Other
applications do this all the time--for example, our third-party IM
client asks for the user's windows password to log in.

Regardless, I feel comfortable with my ability to decide WHAT I want
to do. I'm still looking for help with HOW TO DO IT.

Thank you.

**DavidB** · Jun 11 '07, 06:25 PM

Re: verify windows password?

On Jun 11, 2:12 pm, diane <diane.pitt...@ verizon.netwrot e:

It is true that if a user is silly enough to log onto Windows and the
company network and then walk away from their PC that someone else could
walk up to that PC, open your application, and then be able to access stuff
that they should not.

>

BUT...
Wouldn't a user silly enough to do that also be silly enough to open your
app, log onto it using your home-cooked security, and then walk away from
his PC, creating the exact same situation? I fail to see how adding another
password verification really accomplishes anything beyond just using the
Windows user name that you already have.

>

Most IT Security people would consider ANYTHING that asks a user for his
Windows password other than the OS itself to be a BIG security problem.
Your application would then be free to do anything with that information.
You are creating a security problem, not solving one if you go this route.

>

--
Rick Brandt, Microsoft Access MVP
Email (as appropriate) to...
RBrandt at Hunter dot com

>
One, re the "silly user" issue: Our users remain logged in to their
machines all day and are in & out of their offices. I am mostly
concerned with making sure their secretaries or underlings are not
given the opportunity to walk in & open the application and view
sensitive data. My users are sufficiently concerned with the privacy
of this data to make sure that they do not leave the application open
on the desktop when they walk away, and they don't use it every day in
any case.
>
Two, re Windows security: I'm not trying to GET the users' passwords,
only to verify that they have entered them correctly. Other
applications do this all the time--for example, our third-party IM
client asks for the user's windows password to log in.
>
Regardless, I feel comfortable with my ability to decide WHAT I want
to do. I'm still looking for help with HOW TO DO IT.
>
Thank you.- Hide quoted text -
>
- Show quoted text -

One could easliy write a routine that closes a database after a given
period of inactivity to resolve the idiot user syndrome...

**Arno R** · Jun 11 '07, 06:55 PM

Re: verify windows password?

"diane" <diane.pittman@ verizon.netschr eef in bericht news:1181583676 .296185.291350@ k79g2000hse.goo glegroups.com.. .

On Jun 11, 1:29 pm, "Arno R" <arracomn_o_s_p _...@planet.nlw rote:

>"diane" <diane.pitt...@ verizon.netschr eef in berichtnews:118 1581816.098612. 300370@p77g2000 hsh.googlegroup s.com...
>>
>>
>>

I've got an application running with table-based security: i capture
the user's windows login with fOsusername, then have them enter a
password checked against their username/login in my own table. The
problem is, they can't remember the passwords they've created, and I
spend more time than I want to resetting.

>>

Here's what I'd LIKE to have happen: when the user opens the
application (Access2k), a dialog box appears with the windows login
name of the currently-logged in user (I can do this part), and they
have to enter their WINDOWS password, which some windows api verifies
for me so I can allow or not allow them in.

>>

Is there a way for windows to verify the password for me? I can't
seem to find anything on this; all I get are directions to
fOsusername, which is only the first half of my battle.

>>

Thanks for any help you can give me.

>>
>What's the use ??
>If they are allowed to the program when 'properly' logged on in Windows, then why bother ??
>Are you concerned about users using 'other persons' workstation ??
>What when they leave the program open when they are gone for lunch ??
>>

The problem is, they can't remember the passwords they've created,

>>
>If they can remember the Windows password ... then let the users deal with his/hers password.
>I mean: Use the Windows-logon-password in your table and let the user change the password.
>(e.g. when they are forced to renew the password.)
>But:
>What's the use ??
>>
>Arno R

I am in fact concerned about people using others' workstations--this
is a pretty sensitive application. I am also concerned with
appearance--users feel more confident that an application is secure
when they have to enter a password, and these users pay my
salary! :) But whether of not you think what I want to do is
"useless," what I'm interested in is, can it be done?

Sorry, I did *not* say it is "useless".. . but I am very interested in the practical use...

I know for sure that my users *don't* like typing in the same password twice.
That will not give them a feeling of confidence. It wil only annoy them.

But you say you are indeed concerned about people using other's workstations (as I presumed).
I don't know if you can find the API that you are looking for...
But I would take care of my app shutting down after a while of no activity. (Do a Google search for 'idletime')
I would also train the users to close the app when they go to lunch.

And/or use the idea that I gave you in the first place. Let them maintain their own password.

Arno R

**diane** · Jun 11 '07, 06:55 PM

Re: verify windows password?

On Jun 11, 2:49 pm, "Arno R" <arracomn_o_s_p _...@planet.nlw rote:

"diane" <diane.pitt...@ verizon.netschr eef in berichtnews:118 1583676.296185. 291350@k79g2000 hse.googlegroup s.com...
>
>
>

On Jun 11, 1:29 pm, "Arno R" <arracomn_o_s_p _...@planet.nlw rote:

"diane" <diane.pitt...@ verizon.netschr eef in berichtnews:118 1581816.098612. 300370@p77g2000 hsh.googlegroup s.com...

>

I've got an application running with table-based security: i capture
the user's windows login with fOsusername, then have them enter a
password checked against their username/login in my own table. The
problem is, they can't remember the passwords they've created, and I
spend more time than I want to resetting.

>

Here's what I'd LIKE to have happen: when the user opens the
application (Access2k), a dialog box appears with the windows login
name of the currently-logged in user (I can do this part), and they
have to enter their WINDOWS password, which some windows api verifies
for me so I can allow or not allow them in.

>

Is there a way for windows to verify the password for me? I can't
seem to find anything on this; all I get are directions to
fOsusername, which is only the first half of my battle.

>

Thanks for any help you can give me.

>

What's the use ??
If they are allowed to the program when 'properly' logged on in Windows, then why bother ??
Are you concerned about users using 'other persons' workstation ??
What when they leave the program open when they are gone for lunch ??

>

The problem is, they can't remember the passwords they've created,

>

If they can remember the Windows password ... then let the users deal with his/hers password.
I mean: Use the Windows-logon-password in your table and let the user change the password.
(e.g. when they are forced to renew the password.)
But:
What's the use ??

>

Arno R

>

I am in fact concerned about people using others' workstations--this
is a pretty sensitive application. I am also concerned with
appearance--users feel more confident that an application is secure
when they have to enter a password, and these users pay my
salary! :) But whether of not you think what I want to do is
"useless," what I'm interested in is, can it be done?

>
Sorry, I did *not* say it is "useless".. . but I am very interested in the practical use...
>
I know for sure that my users *don't* like typing in the same password twice.
That will not give them a feeling of confidence. It wil only annoy them.
>
But you say you are indeed concerned about people using other's workstations (as I presumed).
I don't know if you can find the API that you are looking for...
But I would take care of my app shutting down after a while of no activity. (Do a Google search for 'idletime')
I would also train the users to close the app when they go to lunch.
>
And/or use the idea that I gave you in the first place. Let them maintain their own password.
>
Arno R

I'm not worried about annoying my users. This was actually their
suggestion. If I can't find the appropriate API (it HAS to exist), I
may use your suggestion to capture their windows login in my user
table--but, boy howdy, that seems like a bigger security risk than
just asking Windows to give me a thumbs-up-thumbs-down!

**Arno R** · Jun 11 '07, 07:35 PM

Re: verify windows password?

"diane" <diane.pittman@ verizon.netschr eef in bericht news:1181588069 .141227.192190@ q69g2000hsb.goo glegroups.com.. .

I'm not worried about annoying my users. This was actually their
suggestion. If I can't find the appropriate API (it HAS to exist), I
may use your suggestion to capture their windows login in my user
table--but, boy howdy, that seems like a bigger security risk than
just asking Windows to give me a thumbs-up-thumbs-down!

Yes, it would be a bad idea indeed to save the Windows passwords in an Access table...

However my main idea to solve your initial problem (maintenance) was : Let them maintain their own password!
But since "they can't remember the passwords they've created" this also might not be a real solution...

I just did read your answer to Rick.
==In any case learn them to log off when they leave the office!!
IMO It is plain stupid not to do so, when there is *any* sensitive data on the machine.

But also don't forget about the idletime issue when they are *at* the office....

Arno R

**Rick Brandt** · Jun 11 '07, 07:45 PM

Re: verify windows password?

diane wrote:

I'm not worried about annoying my users. This was actually their
suggestion. If I can't find the appropriate API (it HAS to exist),

There are ways to pass the current user credentials and bounce them off of
an LDAP database to re-authenticate them, but that would just use the
windows credentials that are already in place and accomplishes nothing that
you want.

There is NOT an API that will give your program the user's password and it
should be very obvious why there is not. A password would be pretty useless
if a program running on the PC could just make an API call and get at it
wouldn't you agree?

--
Rick Brandt, Microsoft Access MVP
Email (as appropriate) to...
RBrandt at Hunter dot com

**diane** · Jun 11 '07, 08:05 PM

Re: verify windows password?

On Jun 11, 3:41 pm, "Rick Brandt" <rickbran...@ho tmail.comwrote:

diane wrote:

I'm not worried about annoying my users. This was actually their
suggestion. If I can't find the appropriate API (it HAS to exist),

>
There are ways to pass the current user credentials and bounce them off of
an LDAP database to re-authenticate them, but that would just use the
windows credentials that are already in place and accomplishes nothing that
you want.
>
There is NOT an API that will give your program the user's password and it
should be very obvious why there is not. A password would be pretty useless
if a program running on the PC could just make an API call and get at it
wouldn't you agree?
>
--
Rick Brandt, Microsoft Access MVP
Email (as appropriate) to...
RBrandt at Hunter dot com

Yes, Rick, I would agree, but I've been very clear that I'm NOT
looking to OBTAIN my users' passwords--I just want windows to give me
a go/no-go on them. I think I've been very, very clear on that, if
you actually read my postings. To clear up any remaining recurring
misconceptions:

1. My users are in & out of their offices all day--trying to get them
to log off every time time they run down the hall is NOT an option.

2. They don't use this app very often or for very long at a time, and
they are very sensitive about its data, so they are NOT likely to
leave the app open (not that that's actually relevant to my question,
but it keeps coming up).

3. My users will NOT be annoyed by having to re-enter their windows
passwords--they've actually ASKED for this feature.

4. Just to reiterate: I am NOT trying to obtain users' Windows
passwords. I want to feed the login name & password to an API which
can tell me yes/no, 0/1, thumbs-up-thumbs-down, go/no-go, let 'em in
or lock 'em out.

I'm hoping for a response from someone who knows how to accomplish
this. As I've said, our third-party IM client accomplishes this--I
want to know HOW.

**'69 Camaro** · Jun 11 '07, 08:15 PM

Re: verify windows password?

Hi, Diane.

>Let them maintain their own password.

I'm not worried about annoying my users. This was actually their
suggestion.

Of course the users suggested it. No experienced IT person would ever
suggest compromising Windows security on every Windows computer on the
entire planet by placing the code to check a user's Windows password in an
Access database, where any hacker could copy that code and use it elsewhere
for whatever nefarious deeds he wants.

If I can't find the appropriate API (it HAS to exist)

Fortunately, there's a really, really good reason that you (and hackers)
can't easily find it. It's like handing a loaded gun to a four year old.
The four year old doesn't realize how dangerous it is, and the hacker can
take the gun away from the four year old so quickly and easily that the
loaded gun might as well have been given directly to the hacker.

I
may use your suggestion to capture their windows login in my user
table--but, boy howdy, that seems like a bigger security risk than
just asking Windows to give me a thumbs-up-thumbs-down!

I'm sure hackers are very happy you're so willing to compromise your
organization's Windows' users' passwords (and announce your intentions in
public), but it's far better to compromise the security of your own
organization's network than to compromise the security of all Windows
networks on the planet!

Good luck!
Gunny

See http://www.QBuilt.com for all your database needs.
See http://www.Access.QBuilt.com for Microsoft Access tips and tutorials.
Blogs: www.DataDevilDog.BlogSpot.com, www.DatabaseTips.BlogSpot.com
http://www.Access.QBuilt.com/html/ex...ributors2.html for contact
info.

**diane** · Jun 11 '07, 08:15 PM

Re: verify windows password?

On Jun 11, 4:10 pm, "'69 Camaro" <ForwardZERO_SP AM.To.
69Cam...@Spamea ter.orgZERO_SPA Mwrote:

Hi, Diane.
>

Let them maintain their own password.

I'm not worried about annoying my users. This was actually their
suggestion.

>
Of course the users suggested it. No experienced IT person would ever
suggest compromising Windows security on every Windows computer on the
entire planet by placing the code to check a user's Windows password in an
Access database, where any hacker could copy that code and use it elsewhere
for whatever nefarious deeds he wants.
>

If I can't find the appropriate API (it HAS to exist)

>
Fortunately, there's a really, really good reason that you (and hackers)
can't easily find it. It's like handing a loaded gun to a four year old.
The four year old doesn't realize how dangerous it is, and the hacker can
take the gun away from the four year old so quickly and easily that the
loaded gun might as well have been given directly to the hacker.
>

I
may use your suggestion to capture their windows login in my user
table--but, boy howdy, that seems like a bigger security risk than
just asking Windows to give me a thumbs-up-thumbs-down!

>
I'm sure hackers are very happy you're so willing to compromise your
organization's Windows' users' passwords (and announce your intentions in
public), but it's far better to compromise the security of your own
organization's network than to compromise the security of all Windows
networks on the planet!
>
Good luck!
Gunny
>
Seehttp://www.QBuilt.comf or all your database needs.
Seehttp://www.Access.QBui lt.comfor Microsoft Access tips and tutorials.
Blogs:https://www.DataDevilDog.BlogSpot.co...utors2.htmlfor contact
info.

Okay, apparently I've asked this question in the wrong forum. I was
looking for actual technical expertise. I'll look elsewhere.

**'69 Camaro** · Jun 11 '07, 08:25 PM

Re: verify windows password?

Hi, Diane.

Okay, apparently I've asked this question in the wrong forum. I was
looking for actual technical expertise. I'll look elsewhere.

No one with the technical expertise is going to be foolish enough to hand it
to you, because you can't protect it from hackers who can use it on _any_
Windows system on the planet to compromise all Windows security, not just
_your_ organization's security.

HTH.
Gunny

See http://www.QBuilt.com for all your database needs.
See http://www.Access.QBuilt.com for Microsoft Access tips and tutorials.
Blogs: www.DataDevilDog.BlogSpot.com, www.DatabaseTips.BlogSpot.com
http://www.Access.QBuilt.com/html/ex...ributors2.html for contact
info.

verify windows password?

verify windows password?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment