Skip to content. | Skip to navigation

Sections
Personal tools
You are here: Home Accelerate Articles How to deploy SB+ password validation

How to Deploy SB+ Password Validation

IT security is a vital component of business success. Guessing passwords is one of the most common attack methods that a system experiences. Therefore, controlling, managing, and monitoring your application password-restriction policy is essential. This article provides you with a step-by-step password validation deployment method for SystemBuilder™ security.

Level: Intermediate

Ehab AbuShmais ( eabushmais@rs.com), Global Technical Support Manager,  Rocket Software


12 Jan 2006

The following article will utilize all available SB+ security validation routines and flags that are not documented in the SB+ reference manual or the SB+ administration manual. You can use the example programs provided to deploy a comprehensive password control solution step-by-step.

Step 1: Add the following 2 items to the DMSECURITY file:

1. VALIDATE.LOG

  • In attribute 1 of this item, specify the maximum number of retries to be allowed with each login attempt. SB+ will continue to default to 3 if this field is left blank.
  • In attribute 2, specify the name of the user subroutine to call whenever an incorrect password is entered. This user subroutine will be called every time an incorrect password is entered at the SB+ login prompt. To use the example subroutine provided below, enter USER.LOG here as the subroutine name.
    This subroutine has two arguments: UserID and Attempt #.
  • To make this change take effect, set the (DMCONT) SB.CONTROL control flag to 1. If this flag is not set, the user subroutine will not be invoked.

Note: The number of password retries applies system-wide -- processes like User and Group security, Login, and Keyboard timeout will also use it. The user subroutine needs to declare the two arguments (as in "SUBROUTINE USER.LOG(UID, ATTEMPT)"). The user subroutine must have an entry (catalog pointer) in the VOC.

2. VALIDATE.USER

  • In attribute 1 of this item, specify the name of the user subroutine to call. This user subroutine will be called after the correct password has been entered at the SB+ login prompt. To use the example subroutine provided below, enter USER.CHECK here as the subroutine name.
    This subroutine has two arguments: UserID and Err. The Err flag has four return values:
    • ERR = 0: OK, no error.
    • ERR = 1: Error, try again.
    • ERR = 2: Error, fatal, log user off.
    • ERR = 3: Error, try again but REDRAW SCREEN.

Note: The user subroutine needs to declare the two arguments (as in "SUBROUTINE ADDITIONAL.USER.CHECK(UID, ERRNO)"), and must have an entry (catalog pointer) in the VOC.

Step 2: Create the following subroutines in the BP (Basic Programs) file, or in the file of your choice:


Listing 1. Code for CHECK.PASS
SUBROUTINE CHECK.PASS(NEWPASS,VALID.FLAG)
*
   $INCLUDE DMSKELCODE COMMON
   $INCLUDE DMSKELCODE STANDARD.EQU
*
* Validate password is more than 6 characters and less than 50
*
L = LEN(NEWPASS)
  IF L < 6 OR L > 50 THEN 
    CRT; CRT; CRT "PASSWORD MUST BE MORE THAN 6 CHARACTERS AND LESS THAN 50"
    VALID.FLAG = 1
    RETURN
  END ELSE VALID.FLAG = 0
*
* Validate that password is a mix of numbers + upper case + lower
* case + spcial charcters
*
C = 0; CNT1 = 0; CNT2 = 0; CNT3 = 0; CNT4 = 0
LOOP WHILE C # L DO
  C = C + 1
  CH = NEWPASS[C,1]
  IF CH = "" THEN
    RTN.FLAG = '0'; RETURN
  END
  IF (SEQ(CH)  >= 65) AND (SEQ(CH) <= 90) THEN CNT1 = 1; *CRT "UPPER CASE"
  IF (SEQ(CH)  >= 97) AND (SEQ(CH) <= 122) THEN CNT2 = 1; *CRT "LOWER CASE"
  IF (SEQ(CH)  >= 48) AND (SEQ(CH) <= 57) THEN CNT3 = 1; *CRT "NUMBER"
  IF (SEQ(CH)  >= 33) AND (SEQ(CH) <= 47) THEN CNT4 = 1; *CRT "SPECIAL CHAR 1"
IF (SEQ(CH) >= 58) AND (SEQ(CH) <= 64)  THEN CNT4 = 1; *CRT "SPECIAL CHAR 2"
IF (SEQ(CH) >= 91) AND (SEQ(CH) <= 96)  THEN CNT4 = 1; *CRT "SPECIAL CHAR 3"
IF (SEQ(CH)  >= 123) AND (SEQ(CH) <= 126) THEN CNT4 = 1; *CRT "SPECIAL CHAR 4"
  * Add all flags to make sure all requirment are met
  IF CNT1 + CNT2 + CNT3 + CNT4 = 4 THEN VALID.FLAG = 0
REPEAT
  IF CNT1 + CNT2 + CNT3 + CNT4 # 4 THEN
    VALID.FLAG = 1
    CRT; CRT; CRT "MUST USE MIX CASE AND USE NUMBER AND SPECIAL CHARACTERS"
  END
RETURN

If you use the following two routines, three consecutive incorrect authentication attempts will deactivate the user ID, until an admin resets the count of those attempts (using something similar to the paragraph process example shown in Listing 4). Please feel free to edit and customize the code to your personal preferences.


Listing 2. Code for USER.LOG
SUBROUTINE USER.LOG(UID,ATTEMPT)
*
$INCLUDE DMSKELCODE COMMON
$INCLUDE DMSKELCODE STANDARD.EQU
*
OPEN "DMSECURITY" TO SEC ELSE CRT "CAN NOT OPEN DMSECURITY"
READ USER.REC FROM SEC,'~':UID ELSE CRT "CAN NOT READ USER ID"
*
USER.REC<41> = USER.REC<41>+ 1
WRITE USER.REC ON SEC,'~':UID
RETURN


Listing 3. Code for USER.CHECK
SUBROUTINE USER.CHECK(UID,ERRNO)
*
$INCLUDE DMSKELCODE COMMON
$INCLUDE DMSKELCODE STANDARD.EQU
*
 OPEN "DMSECURITY" TO SEC ELSE CRT "CAN NOT OPEN DMSECURITY FILE"
 READ USER.REC FROM  SEC,'~':UID ELSE CRT "CAN NOT READ USER ID"
*
 IF USER.REC<41> >= 3 THEN
  ERRNO = 2
* Prevent user from logging in because they had 3 wrong password attempts
  CRT; CRT "CONTACT YOUR SYSTEM ADMINISTRATOR"
END ELSE
* Reset the retries counter for nex time
  USER.REC<41> = 0 
  WRITE USER.REC ON SEC,'~':UID
  ERRNO = 0
END
RETURN

Process Paragraph to reset the counter of authentication attempts:


Listing 4. Code for RESET.PWD
LOCAL USER.REC, UID                                            
USER.REC = ''                                                  
UID = '~':@PARAM                                               
IF @PARAM = '' THEN                                            
 DISP 3, "Must provide a , then USERID after the process name" 
 EXIT X                                                        
ELSE                                                           
 @RTN.FLAG = 0                                                 
END                                                            
*                                                              
READ USER.REC FROM "DMSECURITY",UID                            
IF @RTN.FLAG THEN                                              
 DISP 3, @PARAM:" Does not exist!"                             
ELSE                                                           
 USER.REC<41> = 0                                              
 WRITE USER.REC ON "DMSECURITY",UID                            
END                                                            
@PARAM = ''

Note: To change the password while logged on, execute the following process:

CHANGE.PWD

Step 3: Edit the item PASSWORD.VALIDATION in DMSECURITY to look like this:

*CHECK.PASS
(instead of **BYPASS)

Note: The **BYPASS is the default setting and means no password validation will be performed. If you specify the subroutine name with no asterisk (*) preceding it, the subroutine will be responsible for password validation.

If you use just one asterisk (*) with no subroutine name, SB+ password validation will perform the validation listed below. The single asterisk at the beginning of *CHECK.PASS indicates that SB+ password validation will be used, and will not allow:

  • Passwords that contain a sequence of letters or numbers of 3 or more, such as ABC, or 123 (error message: PASSWORD MUST NOT CONTAIN SEQUENCES).
  • Passwords that contain repetitive characters of 3 or more, such as using the same letter 3 times in a row, like AAA (error message: PASSWORD CONTAINS CHARACTERS THAT ARE TOO REPETITIVE).
  • Passwords that contain a comma (error message: PASSWORD CONTAINS AN ILLEGAL CHARACTER).
  • Passwords that are one of the last 10 passwords used for this account (error message: YOU CANNOT REUSE AN OLD PASSWORD).
    Note: The old passwords are stored (in encrypted form) in user record field <11> of the DMSECURITY file. Clearing this field should allow you to use old passwords again. Please note that doing so will invalidate the record's checksum. Be sure to go into the User Security Setup screen and file the user's record again, by hitting F2. This method is okay if you only need to do this once in a while.
  • Passwords that are all numeric (error message: PASSWORD MUST NOT BE NUMERIC).
  • Null passwords (error message: INVALID PASSWORD).
  • Passwords that are the same as the user ID (error message: PASSWORD MUST NOT BE PART OF YOUR NAME OR ID CODE).
  • Passwords that have fewer than 4 characters, or more than 50 characters (error message: PASSWORD MUST BE AT LEAST 4 CHARACTERS IN LENGTH BUT LESS THAN 50 CHARACTERS).

Notes:

  • Error messages 5-8 are not used if you use the CHECK.PASS example subroutine, because the validation in CHECK.PASS requires the password to be more than 6 characters.
  • To prevent users from using specific passwords, add it to the list of invalid passwords in an item called PASSWORD in the file DMSECURITY.
  • All unsuccessful login attempts are logged. You can check this log by using SB+ security reports from the security menu while in the SB+ Administrator account.
  • To force users to change their password every 30 days, or whatever period you want, add that in the user security setup under Pwd Rollover Date. To do this for the group, go into group security setup then press F7- Logon Times.

Resources

Learn

Get products and technologies


About the author

Ehab AbuShmais photo

Ehab AbuShmais spent 12 years as an SB+ software engineering experienced in SB+ products support, engineering, and consulting. Ehab is the author of the book  Building Applications Using SB+ GUI. Ehab is the author of SB+ troubleshooting guide. Ehab holds a BS in Information Systems Engineering from SPSU Marietta Georgia, MS in Computer Information Systems and MBA in Technology Management from University of Denver.

 

Document Actions