How to make Client Change Password every 3month

Hi All, I want to show a message to make users change their password every 3 months. It should be able to record the last day the change was made. Also, How do i access the Change Password table…it is a system table. thanks Alofokhai

Hi Alofokhai, Use Windows-authentication, and let AD control this for you. In AD You can also setup some criterias for the passwords to fulfill. (password-length, valid chars etc.) I don’t think that “Change password” is a table. Passwords are stored in the user-table (2000000002) as password-text. If you create your own “change password”-form, and restrict users from using the existing one (remove System 5830 from ALL-role), then Your goal could be obtained. regards Alexander

pLS. Thanks for the respond. I do not understand what you mean by AD control. Pls. explain further Thanks

AD = Active Directory = Microsoft Network User Model

Let me explain further. I really want navision users to change their navision password every 3 month. Thanks

Well, forcing the users to change their password every 3 months, can (by default) ONLY be obtained if You use the Windows-authentication. If You insist on using Native-login (wich by the way is less secure than Windows-authentication), then You will have to create Your own “change password”-form, in order to be able to record when password was changed last time. Then restrict the user from using the default “change password”-form, since this form does not record the last change date (remove System 5830 from ALL-role). (The new form will offcource not be accessable from the Tools-menu, but have to be accessed from somewhere else). Then in codeunit 1 you build in some checks to see if it is time for the current user to change password, and makes sure that the user actually changes the password, before letting him in. Next You will have to make sure that the passwords fullfill some given criterias - These checks You will have to build Your self. Where as if You use Windows-authentication all this is given. regards Alexander

Pls. Alex. Explain this Windows-authentication thing. thanks

quote:

If You insist on using Native-login (wich by the way is less secure than Windows-authentication),…
Originally posted by sander7 - 2006 Feb 21 : 06:08:22

Less secure? Why? OK, we might open a new topic obout this but I cannot see ANY reason why it is less secure.

The only thing less secure is really that you cannot force it to change the password periodically and you cannot setup the special rules for password (min length, combinations etc.). As to explaining Windows Authentication - then that means that you are using the Login/Password that you used when you autenticated your curent Windows session (your Windows/Network login).

Alofokhai, When You start Your computer in the morning, you’re prompted for a login. In Navision, in the Tools-menu → Security You can create windows-logins as well as Database-logins. The windows-logins is what I refer to, and they relate to the Active Directory in the Domain. Walther, I’m no expert on logins and security, I only stated what I’ve been tought by others. (I knew I should have included a “said to be” in my statement [:0)]) regards, Alexander

Navision’s own authentication is less secure than Windows, weather you are using NTLM or Kerberos. Navision 4.0 is better but still less secure. SQL and Navision Server have different implementations - but same applies with SQL; its own database authentication is less secure than windows (although better than Navision Servers own authenctication). I was going to list specific reasons but I won’t. If you take a look at what security attacks NTLM and especially Kerberos mitigates you will get a flavour for what Navision’s own authentication is not giving you, and password turnover is just one issue. (You can find this information in a good security book such as one by Keith Brown, or on a good Wiki page etc). If you still need to go with Navision’s own authentication I would recommend using 4.0 with the Secure Sockets net protocol (uses SSPI) at least. (Security is all relative - If it is just you and your grandmother using the system it probably isn’t a concern). Bear in mind also that in the not too distant future, windows authetication is likely to be the only one available. Windows authentication is actually separate from Active Directory but that is another matter. Conceptually it is common to refer to them in the same sentence.

Also keep in mind, that if you have a very good and secure password system, say requireing Upper lowercase mix with at least one numeric and one symbol (eg: MBS#4online3) and having to change at lease once a month, and no repeats, then really you have NO security what so ever, since the passwords are written on a pices of paper in the top left hand draw of the users desk. [B)] This is how it works in the real world. [:D]

quote:

This is how it works in the real world. [:D]
Originally posted by David Singleton - 2006 Feb 21 : 17:22:09

Exactly!

quote:

quote:
This is how it works in the real world. [:D]
Originally posted by David Singleton - 2006 Feb 21 : 17:22:09

Exactly!
Originally posted by walter@kirz - 2006 Feb 22 : 11:53:41

Been there done that… I guess you have been there too, right Walter[;)] [:D]

Oh the worst is when some auditor type with no real world experience (or worse an arogant auditor) come in and says you need to have a random character password of at least 8 characters, it has to be changed every 30 days, and cannot repeat for 6 times. And by the way, you have to have a different password for each system you access. And I did have an Internal Control Manager tell me that we should generate and issue passwords created by a random character generator…geez My next question is how big is the post-it under the keyboard going to be? The worst of it is they don’t get how impractical their requirement is, because they don’t have to live with what they tell others to do. BTW, do you remember the movie “War Games” ? Gary

quote:

quote:

quote:
This is how it works in the real world. [:D]
Originally posted by David Singleton - 2006 Feb 21 : 17:22:09

Exactly!
Originally posted by walter@kirz - 2006 Feb 22 : 11:53:41

Been there done that… I guess you have been there too, right Walter[;)] [:D]
Originally posted by David Singleton - 2006 Feb 22 : 10:46:31

Right, I have been there.[:D]

OK, gentleman, back to the main topic. Yes it is possible to force a Navision user to change his/her password every three month. And here the way: Create a new table with the same structure as the “User” table (2000000002) to shadow the values entered at the user table. Then you can compare for the signed in user the actual password of the user table with the one in the shadow user table. If they are the same, you just compare the system date with the “Expiration Date” of the shadow user table within CU 1. So if you determine that the password is unchanged and expired, you can call a form in a loop which only gets exited when the user has changed his/her password. Then you need to update the password in the shadow table with the one from the user table and set a new expiration date. Anyway, this is all theoretical. I also suggest to use Windows Login instead of Database Login.

quote:

… BTW, do you remember the movie “War Games” ? Gary
Originally posted by GaryN - 2006 Feb 22 : 19:17:13

Wasn’t it “Hallo Dr. Falcon how about a nice game of chess?” ?

That was the one [:D]