Been there, did that, it worked!
The key was the CAPS function.
(And tech support said it couldn't be done!)
Thanks,
Greg Krumrey, Information Manager, Patriot Machine, Inc.
Voice: 636-940-1776 x 130, fax: 636-940-8933
email: mailto:greg.krumrey@...
Alt: mailto:greg@... Web: www.patriot-machine.com
-----Original Message-----
From: Jim Mediger [mailto:JimM@...]
Sent: Friday, August 02, 2002 9:01 AM
To: vantage@yahoogroups.com
Subject: RE: [Vantage] Re: Another Enhancement Request for all you progress
programmers out there...
I have used the following code to test passwords and the encode function. It
works up to 4.0.
Def Var TmpPassWd Like UserFile.Password.
For Each UserFile:
TmpPassWd = "Enter Your password Here".
TmpPassWd = encode(Caps(tmppasswd)).
If Password = Tmppasswd Then
Display DcdUserId
Name
Password
TmpPassWd.
/*
DEFINE VARIABLE password AS CHARACTER FORMAT "x(16)".
DEFINE VARIABLE id AS CHARACTER FORMAT "x(12)".
DEFINE VARIABLE codedpwrd AS CHARACTER FORMAT "x(16)".
SET id LABEL "Enter user id" password LABEL
"Enter password" BLANK WITH CENTERED SIDE-LABELS.
codedpwrd = ENCODE(password).
DISPLAY codedpwrd LABEL "Encoded password".
*/
Jim
-----Original Message-----
From: Greg Krumrey [mailto:gkrumrey@...]
Sent: Friday, August 02, 2002 7:53 AM
To: 'vantage@yahoogroups.com'
Subject: RE: [Vantage] Re: Another Enhancement Request for all you progress
programmers out there...
Been There, Tried That, Didn't work.
When I called Epicor, they said Vantage uses it's own ENCODE algorithm that
has nothing to do with ENCODE() in progress or report builder (which are the
same).
If Epicor added it's encode as an algorithm that would solve my problem.
If they added a write trigger to encode the password a second time, using
progress ENCODE and placed it next to the PassWord field in UserFile
(PassWord2?), that would fix the problem.
If they wanted to really secure it, they could have a routine, that, when
called, would prompt the user for the User ID and Password, and return a
Login Success (True/False) and a Vantage ID. This is what I asked for.
While I see the benefits of password auditing, I would think the risks would
be much higher. In the hands of a hacker, a list of Vantage passwords would
be a gold mine. Besides, it is a possibility that there is no
inverse-vantage-encode. If it was a one-way routine, they would just encode
the password you typed in, and compare it to the encoded value in UserFile.
It's been a while, but I think this is how Unix works (with a twist of
Salt).
If the password export were to be added, it should probably require a module
that it activated only with the company's owner's password (or something
like that). Otherwise, a disgruntled system manager could keep this list as
an ace-in-the-hole in the event they were fired.
Finally, being a system manager and not knowing anyone else's passwords has
its advantages. I was laid off a year and a half ago. The owners of the
company hired a consultant to change the system passwords, and I made a list
to make sure they got them all. I ended up giving them about 4 hours of free
consulting when everything broke (due to services not having the right
passwords, automatic file transfers getting access denied, etc), but I
wanted (and got) a letter of recommendation. During that time, I made sure
someone was with me at all times that I was in the building and that I did
not see any new passwords being entered. I had a policy (and it was well
known) that I did not know anyone else's passwords. If anything happened
after the change-over, I could point out that I did not have the access to
do it.
Greg Krumrey, Information Manager, Patriot Machine, Inc.
Voice: 636-940-1776 x 130, fax: 636-940-8933
email: mailto:greg.krumrey@...
Alt: mailto:greg@... Web: www.patriot-machine.com
-----Original Message-----
From: Wayne Cox [mailto:wmc20@...]
Sent: Thursday, August 01, 2002 7:08 PM
To: vantage@yahoogroups.com
Subject: Re: [Vantage] Re: Another Enhancement Request for all you progres s
programmers out there...
At 10:17 PM 8/1/2002 +0000, you wrote:
that's what they used? If so, just do the standard password check routine
of encrypting the password entered by the user and comparing it to the
stored one.
If that works, it would also let you easily run the "password audit"
mentioned, too.
-Wayne Cox
Twenty Three - Information Technology Consulting
828-685-2338
Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links
Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links
Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links
Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
The key was the CAPS function.
(And tech support said it couldn't be done!)
Thanks,
Greg Krumrey, Information Manager, Patriot Machine, Inc.
Voice: 636-940-1776 x 130, fax: 636-940-8933
email: mailto:greg.krumrey@...
Alt: mailto:greg@... Web: www.patriot-machine.com
-----Original Message-----
From: Jim Mediger [mailto:JimM@...]
Sent: Friday, August 02, 2002 9:01 AM
To: vantage@yahoogroups.com
Subject: RE: [Vantage] Re: Another Enhancement Request for all you progress
programmers out there...
I have used the following code to test passwords and the encode function. It
works up to 4.0.
Def Var TmpPassWd Like UserFile.Password.
For Each UserFile:
TmpPassWd = "Enter Your password Here".
TmpPassWd = encode(Caps(tmppasswd)).
If Password = Tmppasswd Then
Display DcdUserId
Name
Password
TmpPassWd.
/*
DEFINE VARIABLE password AS CHARACTER FORMAT "x(16)".
DEFINE VARIABLE id AS CHARACTER FORMAT "x(12)".
DEFINE VARIABLE codedpwrd AS CHARACTER FORMAT "x(16)".
SET id LABEL "Enter user id" password LABEL
"Enter password" BLANK WITH CENTERED SIDE-LABELS.
codedpwrd = ENCODE(password).
DISPLAY codedpwrd LABEL "Encoded password".
*/
Jim
-----Original Message-----
From: Greg Krumrey [mailto:gkrumrey@...]
Sent: Friday, August 02, 2002 7:53 AM
To: 'vantage@yahoogroups.com'
Subject: RE: [Vantage] Re: Another Enhancement Request for all you progress
programmers out there...
Been There, Tried That, Didn't work.
When I called Epicor, they said Vantage uses it's own ENCODE algorithm that
has nothing to do with ENCODE() in progress or report builder (which are the
same).
If Epicor added it's encode as an algorithm that would solve my problem.
If they added a write trigger to encode the password a second time, using
progress ENCODE and placed it next to the PassWord field in UserFile
(PassWord2?), that would fix the problem.
If they wanted to really secure it, they could have a routine, that, when
called, would prompt the user for the User ID and Password, and return a
Login Success (True/False) and a Vantage ID. This is what I asked for.
While I see the benefits of password auditing, I would think the risks would
be much higher. In the hands of a hacker, a list of Vantage passwords would
be a gold mine. Besides, it is a possibility that there is no
inverse-vantage-encode. If it was a one-way routine, they would just encode
the password you typed in, and compare it to the encoded value in UserFile.
It's been a while, but I think this is how Unix works (with a twist of
Salt).
If the password export were to be added, it should probably require a module
that it activated only with the company's owner's password (or something
like that). Otherwise, a disgruntled system manager could keep this list as
an ace-in-the-hole in the event they were fired.
Finally, being a system manager and not knowing anyone else's passwords has
its advantages. I was laid off a year and a half ago. The owners of the
company hired a consultant to change the system passwords, and I made a list
to make sure they got them all. I ended up giving them about 4 hours of free
consulting when everything broke (due to services not having the right
passwords, automatic file transfers getting access denied, etc), but I
wanted (and got) a letter of recommendation. During that time, I made sure
someone was with me at all times that I was in the building and that I did
not see any new passwords being entered. I had a policy (and it was well
known) that I did not know anyone else's passwords. If anything happened
after the change-over, I could point out that I did not have the access to
do it.
Greg Krumrey, Information Manager, Patriot Machine, Inc.
Voice: 636-940-1776 x 130, fax: 636-940-8933
email: mailto:greg.krumrey@...
Alt: mailto:greg@... Web: www.patriot-machine.com
-----Original Message-----
From: Wayne Cox [mailto:wmc20@...]
Sent: Thursday, August 01, 2002 7:08 PM
To: vantage@yahoogroups.com
Subject: Re: [Vantage] Re: Another Enhancement Request for all you progres s
programmers out there...
At 10:17 PM 8/1/2002 +0000, you wrote:
>If we only had the decryption algorithm for UserFile.password...I've heard there is an "encrypt" function in the Progress 4GL. Maybe
that's what they used? If so, just do the standard password check routine
of encrypting the password entered by the user and comparing it to the
stored one.
If that works, it would also let you easily run the "password audit"
mentioned, too.
-Wayne Cox
Twenty Three - Information Technology Consulting
828-685-2338
Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links
Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links
Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links
Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/