StudioWorks - Security New Password

Sw4 > Misc > Security New Password

Security New Password

There is a new password security option available with the StudioWorks framework. The new password option provides an added level of security to a StudioWorks application by checking to see if the user's password has not been changed for a specified number of days. If the password has expired the user is prompted to enter a new password.

There are several security problems with user passwords:

If you let the user set their own password, they will often use very easy to guess passwords. (Favorite color, make of car, license plate)
If you assign a random secure password users will write it down on a note and keep it within arm's length of their keyboard.
If you change the password too often users will write it down on a note and keep it within arm's length of their keyboard.

A technique I use to create easy to remember secure passwords is to compose a password sentence that includes at least one number and is easy for me to memorize. For example:

My home is located at 229 Arthur Street.

My password is composed of the first character of each word, and if there are numbers, the full number. So the password for the above password sentence is:

mhila229as

Instead of memorizing the password, you memorize the password sentence. When you need to enter the passord you say the password sentence (silently) and type the first character of each word.

The StudioWorks new password security has several password sentence themes. When a new password is created the date and theme are stored in the user's security info row. When the password expires the user is prompted with the next password sentence theme. The new password window gets the user to input the information need to generate a password sentence, explains it to them, and has them enter the password correctly three times before allowing them to continue and saving the new password to the user's security info row. Hopefully by following this technique, users will commit the password sentence to memory and not need to write down the password.

Enabling New Password Security

To enable the new password security modify the $signInOKContinue method of the main library Startup_Task to send a $checkPasswordHasExpired message to the oSecurity object. If the password has expired you then send an $openNewPasswordWindow message to the oSecurity object.

The following sample code is the checkPasswordExpired method which can be found in the Startup_Task of the myAppMain library of the StartNewApp demo.

; Get the default password expiry days from the oSysPrefs object.
If oSysPrefs.$:DefaultPasswordExpireDays.$cando

   Do oSysPrefs.$:DefaultPasswordExpireDays Returns PasswordExpireDays

   If secur.$checkPasswordHasExpired.$cando

      ; Check if the user's current password has expired.
      Do secur.$checkPasswordHasExpired(PasswordExpireDays) Returns bPasswordHasExpired
      If bPasswordHasExpired

         Do secur.$openNewPasswordWindow() Returns rWin
         If isnull(rWin)
            Calculate FlagOK as kFalse

         End If
      End If
   End If
End If

Quit method FlagOK

The checkPasswordExpired method is called by the $signInOKContinue method as follows:

; Redirect to the startup task default methods object.
Do redirect ioStartupTaskDefaultMethods Returns FlagOK
If FlagOK

   Do method checkPasswordExpired Returns FlagOK
   If FlagOK

      Do method initializestartTimeoutTimer Returns FlagOK

   End If
End If

If not(FlagOK)
   Do errhndlr.$promptonceLastError()
End If
Quit method FlagOK

The oSysPrefs object and related wSysPrefs window can be found in the mySysAdmin library of the StartNewApp demo.

Temporary Password

The new password security also makes it possible to give a new user a temporary password which they can can use to sign-in but are then immediately prompted for creating a new password.

The $checkPasswordHasExpired method of oSecurity checks to see if the password is prefixed with temp_. Any password that begins with temp_ (e.g. temp_xzy) is considered to be expired by the $checkPasswordHasExpired method, so the method will return kTrue (yes the password has expired) to the sender. The wSecurityNewPassword window will be opened and the user will be prompted through the steps of creating a new password which will then be save to their user profile replacing the temporary password.

If a user forgets their password, rather than having a system administrator look up and view their password, the system administrator can simply assign a new temp_ password (e.g. temp_dog) and instruct the user to sign-in with the temporary password, following which they will be prompted through creating a new password.

To assign a new password, go to System Administration > Users and edit the user record. Click the Change Password button in the edit window. You will be prompted to enter a new password. The prompt message includes instructions on setting a temporary password.