VB6 - Example on how to make a Login where password is stored hashed in Database

[CVMichael]

Lately a few users asked how to make a login for their applications.

This example shows how to make a login where the login information is stored in a database.

I'm using an Access Database (for simplicity), but it can be done just as easily with any other database type.

The password is stored hashed using MD5 (128 Bit) in the database, so you don't need to be afraid that someone will just open the database and read the passwords.

As most people know, hashing is a one-way encryption, so the hash cannot be brought back to the original password, that's why it is safe to store the passwords this way.

You can go further than that, and set a password to the database itself, but as many know, that is easily breakable using tools off the internet. That's why I did not bother adding a password to the database for this example.

[sunilvedula]

what application should i have to open the forms. i have tried using access but except the database nothing else opens. Can u help

[CVMichael]

what application should i have to open the forms. i have tried using access but except the database nothing else opens. Can u help

Amm.... VB6 means... Visual Basic 6.0 .... so you open the LogInExample.vbp file using Visual Basic...

Since the example comes with an empty database, you have to make a login first, then next time you start the application, it will ask you to login using the username & password you have saved previously...

[AWHF]

can u show me the right way to use the program?
i have installed the .zip file and in the folder there are many form. how do i use it? can u pls teach me.

[CVMichael]

You installed the zip file ? you mean you downloaded it and uncompressed the files to a directory ?

Just open the LogInExample.vbp project in VB6, and run the program.

Click on "Manage Users", type a user name, then type a password, click "Add", then exit, and close the application.

Next time you run the application you will be prompted for the user name and password you typed previously...

That's it...

[AWHF]

ops...ya! i had downloaded and didn't uncompressed the file. No wonder it can't work.

anyway, now it works!
this program seem useful but i don't understand how the form link with each other. normally i just build a single form to link with access database to do my project. but for yours, it has more than one form, besides that there is also .cls and .bas.
is there any other way to build the login page?

pls dun get me wrong, i'm not criticizing on ur program. is just that i'm not use to vb because normally i just build a sample program.

hope u can help me. actually i'm not from computer filed, i'm from E&E eng and currently i'm doing my project that going to communicate my hardware with vb+database. so i hope that u can help me.

Thanks in advance!

[Slicksilver555]

Im using this as a base for my online game... i think this can be a useful login but i only need the ability to change accounts for admin... i cant find any code to edit exept

Code:

Private Sub cmdOK_Click()
    mCancel = False
    mUsername = Me.txtUserName.Text
    mPassword = Me.txtPassword.Text
  
    Unload Me
End Sub

Can any1 tell me how to edit this to make it so Admin only get that screen?

[CVMichael]

That's because you are looking in the wrong place...

It does the checking for the login in the main form, in the DoLogin function

The right way to do what you want is to add anohter field in the table tblUsers, where you say that that person is an Admin.

Then you check for that in the application.

Or the easy way, is to simply check if the username = "Admin" in the code...

[Tribeca]

Hello Michael,

First i'd like to thank you for your work.
I was looking for this kind of script for a long time.

Just as silver55 i'd like to add access levels.
Like Admin, Special user, User.
I edited the Access Database with a extra field called: "Access"

I would like to know how to add the code part "username = admin" or "special user" (and so on) to the vb code. (Checking what kind of access he has)
Also i like to see this option added in the Manage Users dialog.

My VB knowlegde is pretty limited, so i'm asking for your help.

Perhaps you can also explain how to forward those users to frm's.
Like, if a user has admin access he will be forwarded to form3, a special user to form2, a user to form1. something like that. (After logging in)

Thanks for reading,
-Tribeca

[CVMichael]

Hi Tribeca,

I read your message, and I started working on a sample where you can set permissions by form.

The way I will make it: You "design" a group or groups, then you assign a group to each user, so every user will have access to the forms that the group has assigned to.

[Tribeca]

Hello Michael,

Thats pretty much it yes, thanks for taking the time to actually create this.
I really appriciate it.

I hope i dont trouble you too much with this project.

Thanks again.
-Tribeca

[Slicksilver555]

Hey Michael, do you know a way i can upload this to the internet (Like MySQL) for free and easily and i have the same issue as tribeca... and as it seems

Just as silver55 i'd like to add access levels.
Like Admin, Special user, User.

i asked first so can i have a copy of that new database also? thanks alot for your privious help and hopefully for your future help too and if you could look at My Online Game you and anyone else please read and if you can help.
Thanks Alot, Slicksilver555

[CVMichael]

As per your requests, I made significant changes to the project so you can add user type and groups.

[Tribeca]

That is what i needed yes.
Looking really good! Thanks for helping out.

-Tribeca

[toolize]

Great job CVMichael.

One thing I noticed was that when I open up the LogInExample2 BV workspace I cannot seem to move any of the controls at design-time (buttons, textboxes and etc.). Nor can I find any attribute to "unlock" them.

Second is about the user managment itself. Admins have right to update user-accounts with new password and even new username. It would be neat with a delete user ability.

Keep up the good work man. I really like your ecryption methods in your other threads.

[CVMichael]

I always Lock the controls when the design part is done while making the program. This way, I won't move a control by mistake.
I attached a screen shot of how I have my toolbars aranged, you can see the "Lock Controls" selected, and if you don't have it there, then you can add it from the Customize window.

I don't know how much experience you have with databases (I have a lot).
One thing you learn (in time) is that you never need to delete a user (also you can't), because of data integrity. If you have records made by that user, and foreign keys set up properly, then you won't be able to delete the user until all records made by that user are deleted also.

Instead the best thing to do is to have a boolean field like "Active", and if it's False, then the LogIn should not allow the user to log in.
But if you browse the records, you will still be able to see records done by that user.

I don't remember if I made the "Active" field in this example, if I did not, then it's probably because I did not want to complicate the application too much (or maybe I did not think of it at that time ).

I don't have time right now to make the modifications (I'm at work), but if you want to try you only have to do 3 things.

1) Add the field in the user table "Active" as boolean
2) In the Log-In, in the select statement, just add "Where Active = True"
3) Add the field in the user interface, that is accessable only by Admin.

[toolize]

Thanks for fast reply CVMichael

I had never seen that Lock Control toggle before. But it might come in handy tho. Anyway, delete user was kind of wrong to describe it. Better would be hide it or as you suggested make the account inactive and inaccessble to anyone but administrator. Only work I've done with databases are on PHP with mySQL and some simple MS Access jobs.

Keep up the good work !

[Sweet.Jesus]

My apologies for reviving this yet I need to know, say I already have a main form on my application and I want to set it up so that, the login form runs first, then if validated launches my main form where I could also use the manage users. How would I do that.

[CVMichael]

If I remember correctly, the example I have posted launches the main form first, and then the login form as a modal form. If the login is correct, then the login simply unloads, but if the login is incorrect (after 3 tries), then both unload.

So you can just add the login form to your project, and copy the same logic from my example in the first post...

[Sweet.Jesus]

Thank you, I will try it tonite and let you know how it works.

[grzechog]

Hi, can someone tell me how to autologin last logget user with this script ?
Thanks.

[rakcoool]

Thanks ,,

i need Example something like Tracking User .. I hope to get it

[rakcoool]

User Login And Tracking

[Condomx]

nice but what old passwords section use? if theres no change password?

[Eliminator2009]

Great work!

You have managed user groups via giving access to forms but with this procedure the non admin users can delete record from the database with their login another thing is that if anyone wants to see the data from other department how he can see or in other words how do we give the users:
Add
Save
Edit
Update
Delete
View
Rights

You have done a fantastic job we expect more. Kindly reply my questions.

[CVMichael]

Sorry, but I don't have time to make any improvements.

[lonerjasneg]

Im a 2nd year college student, and we are using vb and my sql server(sql instead of ms access). I converted the access data to sql, i think i need to change some of the code. like this one.

vb Code:

FormAllowed = DBConn.Execute("SELECT Count(*) FROM (tblUsers AS u " & _
            "INNER JOIN tblUserGroupPrivileges AS gp ON u.UserGroupID = gp.GroupID) " & _
            "INNER JOIN tblForms AS f ON gp.FormID = f.FormID " & _
            "WHERE u.[ID] = " & LogInUserID & " AND LCase(f.ObjectName) = LCase('" & FormName & "')").Fields(0).value > 0

Can you help me the proper way or a link where i can properly learn about writing sql codes. Thank you very much.

[louvelle]

Hi CVMichael!

Thanks for the wonderful post. I really appreciate it.

But I have a problem when I was about to look for the code in converting it back to the old password. I can't seem to load the old password when I double click on the ListView that you made in the frmManageUsers.

Could you kindly check the program again if it works for you..?

Thanks a lot..
^___^

[louvelle]

nevermind my post... i finally understood it..


thanks again for the code..
^__^

[kimpoy05]

i dont understand the "MD5" module there..! and the module class...
can you tell me the step by step on how you do that ??

[mhine0720]

Good day Sir, I've seen your project and i was truly fascinated by the way you did the password encryption. one thing that I can't work out with this is that what if I wanted to put a password on my database to protect the other field contents? How would or where should i put my userID and Password for my database? thank you so much for this wonderful project it really helps a lot.

[kulunggoy]

hello! i found this program helpful and im wanting it to modify but i dont know where to start..
can you please help me.. i just want to make a desktop locker, this what i want to do:


i want this for personal use only.. because my cousins mess up with my pc.. by the way im not a hardcore programmer but i can do simple ones. actually i created one but i want this login sample to merge with my program.. thanks in advance!

[Phantom1]

Thank for you for this work. It is useful and helpful. Is there a reason why the field size of the field Password is set to 32? Is it something to do with the MD5 implementation?

[CVMichael]

Yes...
128 bit (MD5 encryption strength) is 16 bytes (in binary)
16 bytes to HEX is 32 characters

If you change the encryption strength to something else, like SHA, then convert that to bytes times 2, and that's the length of the field should be. So for 160 bit SHA, then 160 / 8 = 20 * 2 = 40 chars...

[Phantom1]

Can you explain about

Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)

and

Sleep 200 + 300 * Rnd?

I only know that it is to prevent brute force password cracking from the application, as it is annotated. How? What does Sleep (200 + 300 * Rnd), along with Randomize at the start of the DoLogin function, do exactly?

[CVMichael]

When cracking by brute force, you try in a loop passwords. The more passwords you try per second, the faster you crack it.
This just slows down the automated process that tries to crack the password. The Rnd is just there so that it is not too predictable on how long to wait until it tries next password.

[shank14sb]

hey michael...i liked ur work alot......can u help me designing a system where i have to decrement quantity of entity after every issue of the same entity...