Security: Changing Passwords in Code with Form

home

Only Works With Access 2000 & Up; Uses DAO

Sunday, June 15, 2003 22:15:06

Related: Link to Steve Nyber's Handy Password Changer Form, which works with Access 97 and now (as of Jan 2003) works with 2000 as well

Link to My Form Which Handles Adding/Deleting User AND Password Administration On ONE Form

Derived from Microsoft Knowledge Base Article 200665.

Note: my suggestion is slightly different than the KB article suggestion, but is derived from it.

Using DAO (which appeared in Access 2000 for the 1st time), you can create a form for changing passwords. You can (a) create a form for the administrator to use for changing any user's passwords and (b)a page for allowing the currently logged-in user to change their password (and ONLY their password).

  1. Create a new module. Name it basSecurityCode
  2. Insert the following code 

Public Sub ChangeResetPassword(StrAction As String, StrUsername As _
	String, StrAdminLogon As String, StrAdminPass As String, Optional _
	StrNewPassword As Variant)

'*******************************************************************************
' This function is for allowing the administrator to change anyone's password
'*******************************************************************************

Dim ws As Workspace
On Error GoTo ChangeResetPassword:

' Create a new Administrative Workspace. If The StrAction passed to the
' function is "Change" then change the Password of the User named in
' StrUsername to the password saved in StrNewPassword.
' If the StrAction passed is "Reset", Then reset the password of
' the User mentioned in StrUsername. If neither "Change" or "Reset"
' is passed to the function in the StrAction argument, inform the
' user of an error and exit the procedure.

Set ws = DBEngine.CreateWorkspace("AdminWorkspace", StrAdminLogon, _
StrAdminPass)
If StrAction = "change" Then

     If Not IsNull(StrNewPassword) Then
        ws.Users(StrUsername).NewPassword "", StrNewPassword
        MsgBox "Password Change Successful", vbOKOnly
     Else
         MsgBox "When Attempting to Change A User's Password, You " & _
           "Must Include a New Password", vbOKOnly
     End If

Else

If StrAction = "reset" Then
    'When the current user is in the admins group and reseting
    'his/her own password, the current password must be supplied.
    'In all other cases, the current user password is not needed
    'for a reset.
    If StrUsername = ws.UserName And StrAdminLogon = ws.UserName Then
           ws.Users(StrUsername).NewPassword StrAdminPass, ""
           MsgBox "Password Successfully Reset", vbOKOnly
    Else
           ws.Users(StrUsername).NewPassword "", ""
           MsgBox "Password Successfully Reset", vbOKOnly
    End If
Else
    MsgBox "You must Select a StrAction of either '" & "Change'" & _
      "' or '" & "Reset'.", vbOKOnly
End If

ws.Close
Set ws = Nothing
Exit Sub

ChangeResetPassword:
     MsgBox Err.Description
End Sub



Public Sub ChangeUserPassword(StrUsername As String, StrOldPassword _
	As String, StrNewPassword As String)

'*******************************************************************************
' This function is for allowing a user to change his/her own password ONLY
'*******************************************************************************

On Error GoTo ChangeUserPassword_Err:
DBEngine(0).Users(StrUsername).NewPassword StrOldPassword, _
  StrNewPassword

MsgBox "Password Change Successful", vbInformation
Exit Sub

ChangeUserPassword_Err:
    MsgBox Err.Description
End Sub
  1. Save and Close the Module

  2. Create the Form For Adminstrators
    • Create a new unbound form. Select the forms' properties and assign it the following attributes:
      Tab Property Setting
      Format Caption PW Form for Administrators
        Record Selectors No
        Navigation Buttons No
        Control Box No
        Auto Center Yes
        Min/Max Buttons None
        Close Buttons No
    • Create the following objects for your form:


      • Text Boxes (and Labels)
      Name Input Mask Caption for Label "Object" Name for Label
      txtUserName   User Name lblUserName
      txtOldPassword Password Old Password lblOldPassword
      txtNewPassword Password New Password lblNewPassword
      txtVerifyPassword Password Verify Password lblVerifyPassword
      txtAdminUsername Password Admin User Name lblAdminUserName
      txtAdminPassword Password Admin Password lblAdminPassword

      Command Buttons
      Name Input Mask
      cmdChangeAdmin Change Password
      cmdReset Reset Password
      cmdExit E&xit
    • Save the form as frmChangePasswordsAdmin

  3. Create the Form For Users (Shown)
    • Create a new unbound form. Select the forms' properties and assign it the following attributes:
      Tab Property Setting
      Format Caption PW Form for Administrators
        Record Selectors No
        Navigation Buttons No
        Control Box No
        Auto Center Yes
        Min/Max Buttons None
        Close Buttons No
    • Create the following objects for your form:


      • Text Boxes (and Labels)
      Name Input Mask Caption for Label "Object" Name for Label
      txtUserName   User Name lblUserName
      txtOldPassword Password Old Password lblOldPassword
      txtNewPassword Password New Password lblNewPassword
      txtVerifyPassword Password Verify Password lblVerifyPassword

      Command Buttons
      Name Caption
      cmdChange Change Password
      cmdExit E&xit
      cmdClear &Clear


    • Select the text box txtUserName; selects its properties. Assign the following attributes:
      Property Setting
      Locked Yes
      Control Source =CurrentUser()
      Tab Stop No
    • Save the form as frmChangePasswordsUsers
  4. Copy and paste the following code in both forms in the declarations section:

    Option Explicit
  5. Paste the following code in the form module of frmChangePasswordsAdmin:
    

Private Sub cmdChangeAdmin_Click()

On Error GoTo CmdChangeAdmin_err

' Test to make sure appropriate text boxes are filled in because this
' is an administrative function.

If Not IsNull(Me!txtAdminPassword) And Not _
  isNull(Me!txtAdminUsername) And Not IsNull(Me!txtUserName) Then
    If Me!txtNewPassword <> Me!txtVerifyPassword Then
       MsgBox "The New and Verified Passwords Do Not Match. Please" & _
         " Re-enter", vbCritical
       Me!txtNewPassword = ""
       Me!txtNewVerifyPassword = ""
       Me!txtNewPassword.SetFocus

   Else
       Call ChangeResetPassword("Change",Me!txtUserName, _
         me!txtAdminUsername, me!txtAdminPassword, Me!txtNewPassword)
   End If

Else

 MsgBox "The textboxes for UserName, New Password, Verified " & _
    "Password, Admin UserName and Admin Password must be complete " & _
    "for this function to operate correctly.", vbOKOnly

End If
Exit Sub

CmdChangeAdmin_err:
   MsgBox Err.Description

End Sub

Private Sub cmdReset_Click()

On Error GoTo cmdReset_err

' Test to make sure appropriate textboxes are filled in because this is
' an administrative function.

If Not IsNull(Me!txtAdminPassword) And Not _
  IsNull(Me!txtAdminUsername) And Not IsNull(Me!txtUserName) Then
  Call ChangeResetPassword("Reset", Me!txtUserName, _
  Me!txtAdminUsername, Me!txtAdminPassword)
Else
  MsgBox "The textboxes for UserName, New Password, Verified " & _
    "Password, Admin UserName and Admin Password must be complete " & _
    "for this function to operate correctly.", VBOKOnly
End If
Exit Sub

cmdReset_err:
  MsgBox Err.Description

End Sub

Private Sub cmdExit_Click()
DoCmd.Close
End Sub


  6. Paste the following code into frmChangePasswordsUsers 

    
Private Sub cmdChange_Click()
If IsNull(Me.txtNewPassword) Or IsNull(Me.txtOldPassword) Or IsNull(Me.txtVerifyPassword) Then
    MsgBox "You left a field blank; action cannot be completed", vbCritical, "Error"
    DoCmd.GoToControl "txtOldPassword"
    End
End If

Dim response As Integer, message As String
message = "Are you sure you wish to change your password (Y/N)?"
response = MsgBox(message, vbYesNo, "Password Change Confirmation")
If response = vbNo Then
    MsgBox "Password was NOT changed.", vbCritical, "Action Cancelled"
    End
End If

On Error GoTo cmdChange_err
' Make sure the password typed in the New Password text box
' matches what has been typed in the Verify Password text box.
If Me!txtNewPassword <> Me!txtVerifyPassword Then
   MsgBox "The New and Verified Passwords Do Not Match. " & _
     "Please Re-enter", vbCritical
   Me!txtNewPassword = ""
   Me!txtNewVerifyPassword = ""
   Me!txtNewPassword.SetFocus
Else
   ' Check to make sure the Old Password has been filled in and
   ' if it has, change the password.
   If IsNull(Me!txtOldPassword) Then
       MsgBox "Leaving the Old Password textbox empty will cause " & _
         "an error unless you currently have no password", vbOKOnly
     Call ChangeUserPassword(CurrentUser(), "", Me!txtNewPassword)
   Else
     Call ChangeUserPassword(CurrentUser(), Me!txtOldPassword, _
        Me!txtNewPassword)
   End If
End If

Exit Sub

cmdChange_err:
          MsgBox Err.Description
End Sub

Private Sub cmdClear_Click()
Me.txtNewPassword = Null
Me.txtOldPassword = Null
Me.txtVerifyPassword = Null
DoCmd.GoToControl "txtOldPassword"
End Sub

Private Sub cmdExit_Click()
OKToClose = True
DoCmd.Close
OKToClose = True
End Sub

Private Sub Form_Load()
Me.Caption = "Password Administration for " & CurrentUser()
End Sub


Private Sub txtNewPassword_AfterUpdate()
Me.txtNewPassword = StrConv(Me.txtNewPassword, vbLowerCase)
End Sub

Private Sub txtOldPassword_AfterUpdate()
Me.txtOldPassword = StrConv(Me.txtOldPassword, vbLowerCase)
End Sub

Private Sub txtVerifyPassword_AfterUpdate()
Me.txtVerifyPassword = StrConv(Me.txtVerifyPassword, vbLowerCase)
End Sub

Here are screenshots of how my particular password forms look. There are some differences between them and the ones you probably created, namely the checkbox for allowing the user to turn off the password input mask.