Another Enhancement Request for all you progress programmers ou

I have used the following code to test passwords and the encode function. It works up to 4.0.

Def Var TmpPassWd Like UserFile.Password.
For Each UserFile:
TmpPassWd = "Enter Your password Here".
TmpPassWd = encode(Caps(tmppasswd)).
If Password = Tmppasswd Then
Display DcdUserId
Name
Password
TmpPassWd.
/*
DEFINE VARIABLE password AS CHARACTER FORMAT "x(16)".
DEFINE VARIABLE id AS CHARACTER FORMAT "x(12)".
DEFINE VARIABLE codedpwrd AS CHARACTER FORMAT "x(16)".

SET id LABEL "Enter user id" password LABEL
"Enter password" BLANK WITH CENTERED SIDE-LABELS.

codedpwrd = ENCODE(password).
DISPLAY codedpwrd LABEL "Encoded password".
*/

Jim


-----Original Message-----
From: Greg Krumrey [mailto:gkrumrey@...]
Sent: Friday, August 02, 2002 7:53 AM
To: 'vantage@yahoogroups.com'
Subject: RE: [Vantage] Re: Another Enhancement Request for all you progress programmers out there...


Been There, Tried That, Didn't work.

When I called Epicor, they said Vantage uses it's own ENCODE algorithm that has nothing to do with ENCODE() in progress or report builder (which are the same).

If Epicor added it's encode as an algorithm that would solve my problem.

If they added a write trigger to encode the password a second time, using progress ENCODE and placed it next to the PassWord field in UserFile (PassWord2?), that would fix the problem.

If they wanted to really secure it, they could have a routine, that, when called, would prompt the user for the User ID and Password, and return a Login Success (True/False) and a Vantage ID. This is what I asked for.

While I see the benefits of password auditing, I would think the risks would be much higher. In the hands of a hacker, a list of Vantage passwords would be a gold mine. Besides, it is a possibility that there is no inverse-vantage-encode. If it was a one-way routine, they would just encode the password you typed in, and compare it to the encoded value in UserFile. It's been a while, but I think this is how Unix works (with a twist of Salt).

If the password export were to be added, it should probably require a module that it activated only with the company's owner's password (or something like that). Otherwise, a disgruntled system manager could keep this list as an ace-in-the-hole in the event they were fired.

Finally, being a system manager and not knowing anyone else's passwords has its advantages. I was laid off a year and a half ago. The owners of the company hired a consultant to change the system passwords, and I made a list to make sure they got them all. I ended up giving them about 4 hours of free consulting when everything broke (due to services not having the right passwords, automatic file transfers getting access denied, etc), but I wanted (and got) a letter of recommendation. During that time, I made sure someone was with me at all times that I was in the building and that I did not see any new passwords being entered. I had a policy (and it was well
known) that I did not know anyone else's passwords. If anything happened after the change-over, I could point out that I did not have the access to do it.

Greg Krumrey, Information Manager, Patriot Machine, Inc.
Voice: 636-940-1776 x 130, fax: 636-940-8933
email: mailto:greg.krumrey@...
Alt: mailto:greg@... Web: www.patriot-machine.com


-----Original Message-----
From: Wayne Cox [mailto:wmc20@...]
Sent: Thursday, August 01, 2002 7:08 PM
To: vantage@yahoogroups.com
Subject: Re: [Vantage] Re: Another Enhancement Request for all you progres s programmers out there...

At 10:17 PM 8/1/2002 +0000, you wrote:
>If we only had the decryption algorithm for UserFile.password...

I've heard there is an "encrypt" function in the Progress 4GL. Maybe
that's what they used? If so, just do the standard password check routine
of encrypting the password entered by the user and comparing it to the
stored one.

If that works, it would also let you easily run the "password audit"
mentioned, too.

-Wayne Cox
Twenty Three - Information Technology Consulting
828-685-2338



Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and Crystal Reports and other 'goodies', please goto: http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto: http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto: http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/


Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and Crystal Reports and other 'goodies', please goto: http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto: http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto: http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Here's another one for you.

Company: Patriot Machine Inc.
Contact: Greg Krumrey
Call Placed by: greg.krumrey@...
Product: Vantage
Module: Miscellaneous
Version: 5.10.124
Option: N/A
Description: User Authentication from Progress Routine
Detail: On more then one occasion, I've wanted to make sure a user really is
who they say they are. In some cases, I can use their NT username, but in
most, they are logged into NT in a generic username. A progress function
(similar to getStringValue) that would prompt for the System Login (which
comes up when Vantage) is started, and report back Succeed or Fail and a
Vantage UserID would fill this need.

Greg Krumrey, Information Manager, Patriot Machine, Inc.
Voice: 636-940-1776 x 130, fax: 636-940-8933
email: mailto:greg.krumrey@...
Alt: mailto:greg@... Web: www.patriot-machine.com