Hi, I’ve got a VS.Net application that I’m launching from within Navision running on SQL Server using database logins. I’d like to launch the VS.Net app under the same company/username/password as I’m running Navision. I can retrieve the company and user id data easily enough from within Navision, but any idea how I can retreive the unencrypted password? Wayne
There really wouldn’t be any security at all if you could, would there? You can obviously perform a brute-force attack on the password (and I know this has been discussed before, please search) but no user will want to wait around while their passwords are being cracked… [:D] Why don’t you just ask for this information from the user when they are about to run this application?
Thanks, Nelson. I had resigned myself to having to do this. However, as a strictly theoretical argument, what harm could there possibly be in being able to programmatically retrieve your own password? Wayne
quote:
Originally posted by waynewil …programmatically retrieve your own password?
When able to get your own you are able to get all the others as well, right?
Most password encryption schemes are one-way, i.e. you can never recover the original password from the encrypted one stored in the password database. Authentication is performed by encrypting the password entered by the user and comparing the encrypted strings. This is by design, for obvious reasons [;)] if you want to make things easier for your users, your application can offer a “save password” option. This would require the user to enter his password only the first time he uses your application, but obviously suffers from the disadvantage that the unencrypted passwords need to be stored securely in a safe place, and such a place is hard to find… [B)]
quote:
Originally posted by xorph
unencrypted passwords need to be stored securely in a safe place, and such a place is hard to find… [B)]
I think that is true for the encrypted passwords as well… [:P][:D]
In any case, Navision is not keeping the password. It gets it from the user and authenticates the connection with it, whether SQL or Native, then no longer stores it. Why not make use of Windows authentication? There you can use windows API functions to pass credentials onto another application (usually a server), as Navision is doing with the database servers. This is one of the intentions of Windows authentication - User ID and Password authentication will never allow you to do what you’re after.
quote:
Originally posted by robertc
Why not make use of Windows authentication?
This is a solution. But using this feature - if someone has access to your computer, the person also may access your Navision. I prefer having one password for my computer and another one for my finance-system (which may contain confidential data), where not everybody have unlimited admittance!
Windows authentication is out, as this is a commercial add-on that must accomodate both security modes. Otherwise, you guys have confirmed my limited options and have otherwise improved my understanding of password security. Thanks to all, wayne