Need to satisfy Security concerns on app use - is advapi32.dll GetUserName secure?

[erskinej]

My code is currently using:

Public Declare Function GetUserName Lib "advapi32.dll" Alias "GetUserNameA" (ByVal lpBuffer As String, nSize As Long) As Long

Plenty of threads on the forum referencing this but nhone seem to cover my security concerns and are more focussed on use of.

This restricts the user login name to the value returned and the users Application password is stored in the database as an encrytped value along with an encrypted version of their Database password.

I now need to satisfy new requirements declared by Security:
Passwords -
No repeat of last 18 passwords (requiring password history), minimum length AND must contain 3 character types (UPPER, lower, number or special)

OR......

SSO (single sign on) via Domain Authentication

Does advapi32 suffice as Domain Auth? Where does it come from? Can it be spoofed? If not, then it is as good as, unless they require that the user re-confirm their windows login. If so, is this possible with VB6?

FYI - my app already has the ability to auto-login (to the app itself) using the username returned via advapi32 but this is currently disabled.

Help?!?!?!?!?!?

[gavio]

Welcome to VBForums

It's quite a delicate subject rather then boring. What is your actual problem with the first option? Is creating "password history" that difficult?

And - the forums rules states there should be no bumping

[erskinej]

Hadn't read rules - where would i find the time? However, I will try to observe that rule from now on.

There is no problem with making the required changes, just a question as to whether we need to! Security have said that we can add our own password history and enforce rules on length etc OR we can go Domain Authentication / Trusted Sign-on, SSO route. We already have an enforced user id for the login that we already have, ie user does not (indeed cannot) amend this but just supplies their app password. The user id is picked up from the previously mentioned API route and we already have an option within the app to 'trust' this user id and auto-login to the app with appropriate rights. However, is this safe/enough?

My question is: Is this safe, can the response be spoofed, where does this answer come from? If its the registry then I'm sure it probably can be spoofed but I'm a programmer, not a hacker and dont normally concern myself with this type of thing (at least not with VB apps).

[MartinLiss]

I've moved your thread to here since it doesn't appear to be a VB6 question.

[Davadvice]

i am going to have to do this in the future as well,

i use environ for my users credentials however the password logging would be an issue for me. i would say that you need to hash/Encript the passwords when storing them and then you would need to make sure they are not stored in the main DB if your app uses one.

The users will need access to the passwords in some way to allow the app to check the previous passwords.

I would say using the user name alone is not secure enough as someone may get on to the PC when another user is logged in.

i'm intrested to see how others do it.

David