verify windows password?

Re: verify windows password?

diane wrote:Okay I think I see now. You want an API call that will cause the *OS* to
prompt the user to re-validate themselves and the API call will pass back to
you whether the credentials it received were good without actually sharing
those credentials with your application.

If there is such an API I have never heard of it.

--
Rick Brandt, Microsoft Access MVP
Email (as appropriate) to...
RBrandt at Hunter dot com

Re: verify windows password?

Hi, Diane.
Let me spell this out for you, because it appears that you don't understand
the consequences of what you're asking for. A hacker doesn't need to know
what the actual Windows password is (although that would obviously be the
quickest way to break into a Windows system). He only needs to know when a
string passed as the password is the correct password. That's when a "brute
force" attack becomes successful. The code you would need to use in your
Access database application to determine whether or not your user's typed in
password matches that user's Windows password is exactly the same code a
hacker would use in a loop to keep trying password combinations until
successful. The hacker can use that same code on your system, and on my
Windows system, and on everyone else's Windows system in a brute force
attack to determine the Windows password of any Windows user on the planet.

With today's fast computer systems, it often only takes seconds or minutes
to try millions or billions of different password combinations
programmaticall y, whereas a hacker trying to login from outside the system
has a delay of about 20 seconds between tries and usually a maximum number
of tries to successfully authenticate before the system refuses any further
attempts.

Now can you see why no competent IT professional who knows how to do this
would willingly offer you the code in a newsgroup post, even though you,
yourself, may not be planning to use it for some heinous computer crime?

HTH.
Gunny

See http://www.QBuilt.com for all your database needs.
See http://www.Access.QBuilt.com for Microsoft Access tips and tutorials.
Blogs: www.DataDevilDog.BlogSpot.com, www.DatabaseTips.BlogSpot.com
http://www.Access.QBuilt.com/html/ex...ributors2.html for contact
info.

Re: verify windows password?

diane <diane.pittman@ verizon.netwrot e in
news:1181585521 .966938.32790@k 79g2000hse.goog legroups.com:
This is a domain policy issue. The sysadmin can force those machines
to lock the workstation after inactivity.

--
David W. Fenton http://www.dfenton.com/
usenet at dfenton dot com http://www.dfenton.com/DFA/

Re: verify windows password?

"Rick Brandt" <rickbrandt2@ho tmail.comwrote in
news:9Dibi.1818 3$C96.876@newss vr23.news.prodi gy.net:
Just set the frigging screen saver to require password
authentication. The result is that the workstation locks when the
screen saver kicks in and can't be unlocked except with the
logged-in user's password (or an adminstrator's username/password).

And this can be set as a system policy, if I'm not mistaken.

Geeze, this stuff is so basic to Windows configuration I can't
beleve nobody knows this stuff.

--
David W. Fenton http://www.dfenton.com/
usenet at dfenton dot com http://www.dfenton.com/DFA/

Re: verify windows password?

diane <diane.pittman@ verizon.netwrot e in
news:1181592836 .476898.133910@ q75g2000hsh.goo glegroups.com:
You're not going to get the answer in a different forum, unless it's
populated by people who don't care about security.

--
David W. Fenton http://www.dfenton.com/
usenet at dfenton dot com http://www.dfenton.com/DFA/

Re: verify windows password?

On Jun 11, 4:22 pm, "'69 Camaro" <ForwardZERO_SP AM.To.
69Cam...@Spamea ter.orgZERO_SPA Mwrote:Gunny you are an ass. You have done nothing but belittle the person
who asked the question because YOU do not understand what was asked!
No one asked for a way to fetch a windows password. The user merely
asked to have the app validate a used based on the windows password.
If you fail to see the difference in that it is simply amazing that
you reached the rank of gunny. Your (totally invalid) point is that
doing so would allow someone to heck into the users computer. Using
that logic, allowing people to log into windows in the firts palce
would be useless since it involves using the windows password in the
exact same manner as the original poster requested. Quit being such a
asswad.

Re: verify windows password?

Hi, David.
Neither of you understand the consequences of what she's asking for. She
reiterated that she _doesn't_ want the actual Windows password, but only
wants to determine whether or not the user's typed in password matches the
user's Windows password. If you research brute force attacks, you'll find
that that is exactly what is used to eventually determine a user's password,
but it's placed within a loop where the next possible password combination
is attempted when the previous attempt fails. Handing Diane the code to
check whether or not a possible Windows password combination is correct is
tantamount to handing every hacker in the world the code to determine
anyone's Windows password, because the loop and the code for producing each
possible password combination are trivial.

How many competent IT people are going to do that? None, because they know
why they _shouldn't_, even if they know how. How many incompetent people
are going to do that? None, because although they'd foolishly offer the
solution when asked, they don't know how it's done.

Fortunately, you aren't going to give Diane the answer she seeks. If I were
truly the ass you believe me to be, I'd point out which of these two groups
you are in. Wouldn't I?
I was always told it was because I had far more guts than brains, but the
fact that I was voted unanimously in high school as the student "Most likely
to conquer a small country single-handedly . . . bare-handed, too" may have
had something to do with my future exploits and achievements in the Marine
Corps.
There's an important difference, in that Group Policies (for network domain
login rules) and workstation login rules apply for the Windows logins.
These add a sufficient time delay between attempts and limit the maximum
login attempts such that the millions or billions of possible password
combinations (or more) that are required for a brute force attack to succeed
are fairly easily to prevent. Authorized users are allowed to authenticate
at Windows login, whereas brute force attackers aren't. Once authenticated
on a Windows system, a programmatic check of whether or not a possible
password combination matches any user's Windows password could be done
millions of times per minute without the time delay constraint between
attempts, nor the limit on the maximum number of tries of the earlier
Windows login.

By the way, if you ask Dave Hargis, I'm sure he can explain these things to
you better than I can, and in a more pleasant tone than a gunnery sergeant
would.

HTH.
Gunny

See http://www.QBuilt.com for all your database needs.
See http://www.Access.QBuilt.com for Microsoft Access tips and tutorials.
Blogs: www.DataDevilDog.BlogSpot.com, www.DatabaseTips.BlogSpot.com
http://www.Access.QBuilt.com/html/ex...ributors2.html for contact
info.


"DavidB" <jebva@yahoo.co mwrote in message
news:1181661078 .248186.317000@ g37g2000prf.goo glegroups.com.. .

Re: verify windows password?

'69 Camaro wrote:
Totally OT, but do you know what the equivalent NCO rank in the Canadian
or British army is to a gunnery sergeant? Is that like a regimental
(battalion to you guys) or squadron (company) sergeant major?
--
Tim http://www.ucs.mun.ca/~tmarshal/
^o<
/#) "Burp-beep, burp-beep, burp-beep?" - Quaker Jake
/^^ "Be Careful, Big Bird!" - Ditto "TIM-MAY!!" - Me

Re: verify windows password?

Hi, Tim.
According to the NATO ranks, it's equivalent to a Canadian warrant officer
adjutant (OR-7) or British staff sergeant/colour sergeant:



However, since the U.S. Marine Corps has so few commissioned officers, the
Corps is mainly run by the Staff NCO's and NCO's, so a Marine staff sergeant
or gunnery sergeant (both junior Staff NCO's) is generally functionally
equivalent to a company grade officer (commissioned officer from O-1 to O-3)
in any other military service. For example, as a staff sergeant (OR-6 or
E-6), I served as Officer of the Day (OOD) in the base commanding officer's
stead, whereas any other military service requires a minimum O-1 (2nd Lt) to
O-3 (Capt) to stand in for the base commanding officer in his absence.

It's really neat checking into a new unit and finding out that there just
aren't that many people who outrank you, and of those who do, only butter
bars would ever consider messing with a Gunny -- and they learn fairly
quickly what a bad idea that can be. ;-)

HTH.
Gunny

See http://www.QBuilt.com for all your database needs.
See http://www.Access.QBuilt.com for Microsoft Access tips and tutorials.
Blogs: www.DataDevilDog.BlogSpot.com, www.DatabaseTips.BlogSpot.com
http://www.Access.QBuilt.com/html/ex...ributors2.html for contact
info.

Re: verify windows password?

diane <diane.pittman@ verizon.netwrot e:
Hi Diane

Check out the LogonUser API and NetUserChangePa ssword on



HTH

Matthias Kläy
--

Re: verify windows password?

On Tue, 12 Jun 2007 12:06:02 -0700, '69 Camaro wrote:
Hi guys,
I don't want to buy in to the argument -- I am enjoying the exchanges too
much :-)

Just a question. If MS has built in to the Logon API such hacker
deterrents as time delays and maximum attempts, surely that would also
apply if someone were to use the API outside of the Windows OS to
authenticate a user password? So wouldn't it be just as hard to use brute
force in an Access app as it is at the Windows Logon?

Or are we saying that MS have coded their API as a simple authentication
routine, and then built all the hacker proofing around and outside of the
API?

One can never be sure what goes on in the minds of those at MS, and I don't
know the answer to this question, but wouldn't they build all of the
protection INTO the API so that if the method of calling the API fell into
the wrong hands it would remain as safe as it is at Logon time?

Again, I don't know the answer, and I wouldn't like to second-guess MS, but
if I were designing such an API (and I have some experience in specifying
APIs, though not for anything that runs in Windows), I would build in the
protection.

Just a thought...

Cheers,
Lyn.

Re: verify windows password?

Hi, Lyn.
If the premise is true, then the conclusion is true. That's as much as I'm
willing to say about this Windows feature. (Sorry. I'm not very helpful.)
I'd rather not publicly discuss this feature, because the code needed to
authenticate has certain inherent problems, which of course, have
work-arounds. Just discussing a particular security issue can make the
work-around self-evident.
I tend to agree with you, but opposing arguments can also be made in this
situation. If the user has already successfully authenticated into the
network, then why should that user have to wait X number of seconds between
tries and have a limited number of tries when using such an API? And should
the user be automatically logged out and the Network Administrator notified
when the user exceeds this limit after a normal Windows login? If these
last two items are built into the API, then wouldn't the programmer
automatically put "false" for the "logout" and "notify administrator"
parameters of the function? Of course he would, so those wouldn't be
parameters built into the API, but information that would have to be
retrieved from the Group Policy settings, which adds complexity (and time
and cost) to the design of the API function, which may not be desired. It's
a lot easier (and cheaper) to keep it as simple as possible.

HTH.
Gunny

See http://www.QBuilt.com for all your database needs.
See http://www.Access.QBuilt.com for Microsoft Access tips and tutorials.
Blogs: www.DataDevilDog.BlogSpot.com, www.DatabaseTips.BlogSpot.com
http://www.Access.QBuilt.com/html/ex...ributors2.html for contact
info.

Re: verify windows password?

Hi, David.
Your vocabulary and grammar are so impressive that perhaps you can help me
identify a word or phrase I'm trying in vain to come up with. What do we
call the guy who logs into Google Groups and marks his own replies with four
stars and marks the replies of other posters in the thread with either one
or two stars (apparently to identify them as "bad answers"), but totally
ignores a helpful answer, as well as the information the questioner gave?



Your two replies you marked as so star-worthy totally ignored the following:

1.) Diane's statement that she's saving the User ID's and passwords in a
table (i.e., she's not using User-Level Security, and she never implied that
User-Level Security is one of her goals, either). It's a huge security risk
to save the Windows user names and passwords in a workgroup information file
because very cheap (and free) tools can be used to read the User ID's and
passwords, so it should never be considered as an option.

2.) Diane's statement that "My users are sufficiently concerned with the
privacy of this data to make sure that they do not leave the application
open on the desktop when they walk away," so your suggestion to "write a
routine that closes a database after a given period of inactivity to resolve
the idiot user syndrome" is moot and was ignored by Diane.

3.) Diane is not a "he."

4.) Diane never replied to any of your posts, so she never gave any
indication as to why she would have mysteriously become thrilled enough with
your suggestions to take the time to mark them with four stars, despite the
fact that they didn't address her concerns, nor provide assistance with her
goal.

5.) You didn't even mark Matthias Klaey's helpful reply with any stars,
which conceivably is the only reply Diane received that answered her
question in the way she expected it to be answered. If Diane were to mark
any replies with stars, that's the one she would have picked, although if
you look at her profile and previous posts, you'll see that "measuring other
people and being measured by other people's standards" makes her use of an
online rating system of complete strangers a non sequitur.

Gunny

See http://www.QBuilt.com for all your database needs.
See http://www.Access.QBuilt.com for Microsoft Access tips and tutorials.
Blogs: www.DataDevilDog.BlogSpot.com, www.DatabaseTips.BlogSpot.com
http://www.Access.QBuilt.com/html/ex...ributors2.html for contact
info.

Re: verify windows password?

On Thu, 14 Jun 2007 12:30:35 -0700, '69 Camaro wrote:
Well, as I said, I don't know much about how this API works. You
apparently do, so I will bow to your insight. 'Nuff said.

Lyn.

Re: verify windows password?

'69 Camaro wrote:
I could never understand that sort of behaviour - all through officer
school and RMC it was hammered into us that the senior NCOs were to be
respected for their experience and knowledge. Yet so many 2Lts act like
total know-it-all boneheads when they get to their units.
--
Tim http://www.ucs.mun.ca/~tmarshal/
^o<
/#) "Burp-beep, burp-beep, burp-beep?" - Quaker Jake
/^^ "What's UP, Dittoooooo?" - Ditto