The DbNet System

Home Exploration System Features Mouseless Operation Using Filters Automatic Functions Local Networks Remote Networks Secure Communication Passwords User Profiles Screen Shots License User Forum Support Credits Privacy

Password protection

Most people who have used a computer are familiar with passwords. They represent the front line of security in most computer systems. If you have used passwords before, you know all too well that they are a double-edged sword in that they can help protect sensitive data, but can also be a severe impediment to use of the system for legitimate purposes.

Assigning, managing and remembering passwords are all perennial problems in maintaining computer systems. The DbNet system has made every attempt to make this process more managable for the average user.

Password requirements

The default configuration of the DbNet system does not require passwords. This is done so that you can first become familiar with the operation of the system before becoming embroiled in the task of password management. Some people may choose not to ever assign passwords to their system. This is certainly a viable option if the system is used only on one machine or over a local network in a small office where access to data is not a serious concern.

If you intend to distribute your data over a large network or over the internet, however, passwords are essential to the long term security of your database. If you keep sensitive financial information on your system, passwords will prevent unauthorized access.

Assigning passwords

Assigning passwords in most cases is actually a two step process. A password is assigned to a user. Users are required to have profiles assigned to them. A profile is a set of permissions (or restrictions, depending on your view) that allow the user access to certain parts of the database. Developing profiles is a somewhat complex process and is discussed later in this presentation. For the purposes of this discussion, we will use the Administrator profile, which is installed by default on the system, and gives full access to all parts of the system.

The Administrator profile has no restriction on what it can do with the system. There must always be an Administrator among the users so that someone can update and maintain the system. It is possible to lock yourself out of the system if there is no Administrator.

ALWAYS ASSIGN AN ADMINISTRATOR AS THE FIRST USER WITH A PASSWORD

To assign passwords, go to the System Functions screen and select the Users button. A spreadsheet will appear. Initially, the spreadsheet will be blank, so the only available option is to add a User. Set the user name and profile and enter a password. You will need to enter the password twice to verify that you have typed it correctly. User names and passwords are case sensitive, so be careful typing.

It is not a good idea to name the administrator as administrator or admin. These are very commonly used user names for this function and are easily guessed by a potential hacker.

Changing passwords

From time to time it is desirable to change your password. Users may change their own passwords from the System Functions screen by selecting the Change Password function. If a user has forgotten their password, an Adminsitrator may change it for them from the user screen by editing the user.

Password enforcement

The DbNet server is responsible for enforcing password verification on the system. The server will check if the system requires passwords when a client requests data. The server will do this on the initial request for data from the client. The server maintains a list of active sessions which are held open for 30 minutes. If passwords are required for the system, the server will hold the client request for data and prompt the client for the password. If the client fails to provide the correct password after three tries, the server will lock out the account for 10 minutes before the client may retry to enter the password. Passwords are stored in the system as hashes, rather that as the actual password itself. As sessions expire, the server will prompt the client to re-enter their password. This process is transparent to the end user, as the client will store the hash of the password locally, then transmit it to the server without prompting the end user.