User Password

Business Central/NAV Developers Forum
1

Is there a way to compare a 10 character text field to the value of the Password field in the User table?

2

Yeap. Just declare av variable of the type rec that points to the user table. Set userid := USERID and validate the password with the 10 char value. After that You compare with the real password that is stored in the user table. In this way You compare two encrypted passwords

3

Yes it’s possible, here’s some sample code : 1/ Create a new NF User : USER ID = ADMIN , PASSWORD = PASSWORD 2/ Create a new CodeUnit 3/ Create the following globals : Name DataType Subtype Length recUser Record User recUser2 Record User PasswordToEncrypt Code 20 4/ Copy and Paste the following code on the OnRun() trigger : // >> PASSWORD ENCRYPTION - TD - IF recUser2.GET(‘ADMIN’) THEN BEGIN PasswordToEncrypt := ‘PASSWORD’; recUser.“User ID” := ‘ADMIN’; recUser.VALIDATE(Password, PasswordToEncrypt); // Password is encrypted after validation IF recUser.Password = recUser2.Password THEN MESSAGE (‘Password match’) ELSE MESSAGE (‘Password does not match’); END ELSE ERROR(‘You must set ADMIN as a User and PASSWORD as the password for that user’); // << PASSWORD ENCRYPTION - TD - 5/ Save and Run the Codeunit tarek_demiati@ureach.com

4

It sounds really dangerous… any user having rights for creating a report should be then able of creating a brute force proc. that allow obtaining the administrator password… :confused:

5

Not if you don’t give him access to update the user table, then he can’t use it. Notice that the only password you can obtain is the crypted password. Sure theoretically it’s possible to check for all possible combinations. But in reallity? Best regards, Erik P. Ernst , webmaster Navision Online User Group Edited by - admin on 7/15/00 12:02:07 AM

6

The only password you can obtain is the crypted one so there’s no risk unless you’ve got a LOT of time on your hands what it takes to reverse engineered Navision’s encryption algorithm, obviously anything which is password protected is subject to piracy and hacking. As far as I’m concerned it’s not dangerous but if someone really wants to screw a system he will manage to do it sooner or later. tarek_demiati@ureach.com

7

Getting just the crypted password is not a problem, remember i’m talking about a procedure that takes the password of the user by using brute force (that’s using try-error method by a procedure that generates the passwords to try). That method is used in most hacking utilities for descrambling passwords (as john the ripper) and are based that if u can encrypt a word and comparing with the encrypted password it returns it’s validity or not, u can easily obtain the password of any user by trying with enough combinations. Remember that machines are day by day faster, and restricting search to a low number of users (1 or 2) increases a lot the number of combinations the processor can try in a minute. As well, the limit is 10 chars, so the program can just limit to the 10 characters possible combinations (inclusively reading the words from a dictionary file ). A way for preventing that thing is that a when a user is on a session he can only read-check his own password if he hasn’t read/write permissions on the users table. Alfonso Pertierra Lider Informática S.A.

8

Nice Code from Tarek, but you must declare then PasswordtoEncrypt Variable as text, because if someone use a password like: Hello12 it see as Code like this: HELLO12 :wink: ------------ Best regards Alejandro Schubert schubert@dolphinct.de