1 (edited by asawyer13 2020-11-30 21:49:22)

Topic: Password Encryption/Hash

I am wanting to create a base app that I can use for all my apps going forward.

I think I've decided I want to use the Library app.

In my first app, I will probably be creating user accounts via a sql query. I see that the password in encrypted or hashed, I'm not sure which. It doesn't appear to be an md5 hash.

Can someone tell me how I can create the encrypted/hashed password when adding users?

Hopefully this can be done.

Thanks
Alan

Re: Password Encryption/Hash

I have to have a way to update the users password, either programmatically or thru SQL. I want to create a link so that when the user forgets this password, which we know is going to happen, that I can email him a new one. I need to be able to get that new password into the database so when they log back in, it will work.

Am I missing something??

Any help would be appreciated. My last two hurdles are this and the Forgot Password on the Login page. I really love the new Roles feature so I want to work with it and not try to create my own. I've tested hiding/disabling buttons, etc based on the Role that the user is in and it works great.

Alan

3 (edited by brian.zaballa 2020-12-01 02:42:35)

Re: Password Encryption/Hash

Good day Alan,

If you are using the user and role feature of MVD, for now, I think it is not possible. Only MVD Dev is the one who knows the key used in that password hash. It's been a while since MVD got an update, but I'm hoping that MVD Dev will make that password hash key available or can be change by the programmers for some various reasons (one is your case). For now I think you can stick to the MVD User and Role. Then,
    a. Wait for an update that will cater what you are looking for.
    b. Or, Have a default password, e.g. "1234", copy it(the hashed password in the database) and save somewhere else. Retrieve, use it to change user's password and give it to the user when they ask for password reset. Then, have a form that will make sure that they change the password. You can add boolean field to __user table to handle the checking if the user changed their password. (If there's an MVD update, you can also update this function)

brian

Re: Password Encryption/Hash

Brian

I like the idea of the 1234 password. I can make that work.

Now if I can find the secret to adding a label that looks like a link to the login page and when the user clicks on it I can show them a forgot password form and then send them the new password.

I think cdb has done something similar but I was not able to get it to work.
If someone would be willing to create a working example that would be fantastic.

Thanks again

Alan

Re: Password Encryption/Hash

asawyer13 wrote:

Brian

I like the idea of the 1234 password. I can make that work.

Now if I can find the secret to adding a label that looks like a link to the login page and when the user clicks on it I can show them a forgot password form and then send them the new password.

I think cdb has done something similar but I was not able to get it to work.
If someone would be willing to create a working example that would be fantastic.

Thanks again

Alan

Here, I created an alteration to Login form, hope it helps to start on your program.

Post's attachments

Attachment icon alan_resetpassword.zip 495.72 kb, 368 downloads since 2020-12-01 

brian

Re: Password Encryption/Hash

Brian
I will check that out in the morning.
Thanks so much.
Alan

7 (edited by CDB 2020-12-01 11:23:02)

Re: Password Encryption/Hash

You might be able to bend the Change Password form to do some of what you want instead of creating a complete form from scratch.


To call the inbuilt change password form  you can choose from:



procedure form1_btnUser_OnClick (Sender: TObject; var Cancel: boolean);
begin

    //frmdbCoreUsers.ShowModal;
    Form1.mniUsers.click;
end;

procedure Form1_btnPassword_OnClick (Sender: TObject; var Cancel: boolean);
begin

   //frmdbCoreUserForm.ShowModal;
   Form1.mniChangePassword.click;
   //frmdbCoreUserChangePwd.show;
end;

The buttons are ones I've placed elsewhere in my program, but you could take Brian's code and place either the mniXXXX or the frmdbCoreUserXX in the code he has for the two buttons he has used.

On a clear disk you can seek forever

Re: Password Encryption/Hash

Looks very good. Thanks to both of you.

Re: Password Encryption/Hash

I tried the idea of creating a table of encrypted passwords, but when I set a users password to one of those it doesn't let them login.

I am wondering if Dmity is using some sort of salt value to make the passwords unique.

Alan

Re: Password Encryption/Hash

I have confirmed that MVD must be using some sort of salt to create the passwords.

I added two users thru the app with the same password and when it stores it in the database, they are different.

This sort of messes up any idea that I can think of to do a reset or forgotten password.

HELP....

Thanks
Alan

Re: Password Encryption/Hash

I had forgotten but I want to create the users programmatically. So basically I am dead in the water.

Re: Password Encryption/Hash

Dmitry hasn't posted anything since the end of October.  I hope all is ok. I know he was working on new documentation and I don't mean to complain but if he could expose either how he's doing the encryption or give us a function to duplicate it, it sure would help me.. and anyone else that needs it.

Any direction would be useful so I can continue with my project.

Alan

Re: Password Encryption/Hash

asawyer13 wrote:

I have confirmed that MVD must be using some sort of salt to create the passwords.

I added two users thru the app with the same password and when it stores it in the database, they are different.

This sort of messes up any idea that I can think of to do a reset or forgotten password.

HELP....

Thanks
Alan

Oh Sorry. I remembered that I already tried copying a password from one user to another and it really didn't work so the 1234 password is not possible on the current User-Role function of MVD. My bad. Well, you will have to wait for MVD dev to disclose on how the password really works then or have your own User-Role Feature. I think the Dev used/added the Username on encrypting the password of the user that's why it is different, so you can also use it in your Custom User-Role.

brian

Re: Password Encryption/Hash

Hopefully MVD Dev will read this and have a solution.

Even disabling the encryption would be better than not being able to use it.

Alan

Re: Password Encryption/Hash

asawyer13 wrote:

Hopefully MVD Dev will read this and have a solution.

Even disabling the encryption would be better than not being able to use it.

Alan

I got on how the password is being hashed. I just don't know if it is proper to post I here. smile I'll email it to you

brian

Re: Password Encryption/Hash

I appreciate it.

Re: Password Encryption/Hash

asawyer13 wrote:

I appreciate it.

I sent it. check it on your spam

brian

Re: Password Encryption/Hash

Got it.
Thanks

Re: Password Encryption/Hash

CDB wrote:

You might be able to bend the Change Password form to do some of what you want instead of creating a complete form from scratch.


To call the inbuilt change password form  you can choose from:



procedure form1_btnUser_OnClick (Sender: TObject; var Cancel: boolean);
begin

    //frmdbCoreUsers.ShowModal;
    Form1.mniUsers.click;
end;

procedure Form1_btnPassword_OnClick (Sender: TObject; var Cancel: boolean);
begin

   //frmdbCoreUserForm.ShowModal;
   Form1.mniChangePassword.click;
   //frmdbCoreUserChangePwd.show;
end;

The buttons are ones I've placed elsewhere in my program, but you could take Brian's code and place either the mniXXXX or the frmdbCoreUserXX in the code he has for the two buttons he has used.

CDB or anyone, It's a bit unusual to be able to see the old and new password. Is there a way to mask what the user is typing?

20 (edited by derek 2020-12-04 15:04:50)

Re: Password Encryption/Hash

Hi Alan,
Have a look at the screenshot for the standard way to mask an edit field that contains a password - just choose whatever character you want to have displayed.
If you're doing it by script, it would be something like
.
procedure Form1_Edit1_OnChange (Sender: TObject);  //** whatever your password input field is
begin
  form1.edit1.PasswordChar := '*';                               //** whatever character you want to use as a mask
end;
.
Derekj.

Post's attachments

Attachment icon passwordcharacter.jpg 166.27 kb, 135 downloads since 2020-12-04 

Re: Password Encryption/Hash

Thanks
In this case the Change Password form is hidden so I don't know the names of the edit fields.

But yes, if I had that info, I could use your technique.

Alan

Re: Password Encryption/Hash

asawyer13 wrote:

Thanks
In this case the Change Password form is hidden so I don't know the names of the edit fields.

But yes, if I had that info, I could use your technique.

Alan

//Showmessage(frmdbCoreUserChangePassword.Components[3].Name);
frmdbCoreUserChangePassword.edCurrentPassword.PasswordChar := '*' ;
frmdbCoreUserChangePassword.edNewPassword.PasswordChar := '*' ;
frmdbCoreUserChangePassword.edConfirmPassword.PasswordChar := '*' ;
brian

Re: Password Encryption/Hash

Thanks, as always.

Alan

Re: Password Encryption/Hash

brian.zaballa wrote:
asawyer13 wrote:

Hopefully MVD Dev will read this and have a solution.

Even disabling the encryption would be better than not being able to use it.

Alan

I got on how the password is being hashed. I just don't know if it is proper to post I here. smile I'll email it to you

Hi, could you e-mail me this please??

leggin2020@gmail.com

I'd appreciate it , thanks!!!

Re: Password Encryption/Hash

gonpublic2k wrote:
brian.zaballa wrote:
asawyer13 wrote:

Hopefully MVD Dev will read this and have a solution.

Even disabling the encryption would be better than not being able to use it.

Alan

I got on how the password is being hashed. I just don't know if it is proper to post I here. smile I'll email it to you

Hi, could you e-mail me this please??

leggin2020@gmail.com

I'd appreciate it , thanks!!!

Sent.

brian