Good morning,
        I did take a look at that article a short while ago. Its an interesting 
read and they do have a number of interesting security options available. But 
there is still the fundamental issue that the gateway or login process is one 
that can be hacked and sometimes quite easily die to the lack of modern 
protections. When it was released it was pretty good but lately as I look 
closer at it with questions from a state government security person I can see a 
number of glaring holes that should be filled. These are the biggest ones I see.

1. Passwords are only alphanumeric.
2. No two factor options.
3. Usernames and password are stored in the Structure file. (Very bad if your 
revving structure files during continuous developemnt.
4. No account lockouts for fail authentication attempts. An attacker can just 
continuously try usernames and passwords indefinitely. 
5. The AD options require that you serve from a windows server bound to and AD 
system. You cannot use this if you have Mac clients or a Apple server.
6. No ability to define password difficulty or force password changes 
periodically. (I know that need to change passwords regularly has been debunked 
but most govt. best practice documents still believe that’s the way to go.)

Thanks for the feedback.

> On Sep 6, 2019, at 3:22 AM, Maurice Inzirillo - AJAR 
> <maurice.inziri...@ajar.ch> wrote:
> 
> Hi Eric,
> 
> Regarding 4D security I recommend to read this special 4D Security Guide to 
> get a full idea of what 4D offers
> 
> https://blog.4d.com/4d-security-guide/ 
> <https://blog.4d.com/4d-security-guide/>
> 
> 
> Best regards,
> 
> Maurice Inzirillo
> -- 
> AJAR S.A.
> 
> https://ch-fr.4d.com <https://ch-fr.4d.com/>
> twitter: ajar_info
> Tél : +41 (0)323422684
> 
> 
> 
> 
>> On 5 Sep 2019, at 16:22, Eric Naujock via 4D_Tech <4d_tech@lists.4d.com 
>> <mailto:4d_tech@lists.4d.com>> wrote:
>> 
>> Does anyone have a replacement login system for 4D that offers stronger 
>> authentication security than the current system. Since the current system 
>> does not enforce password changes, or password complexity it is a pretty 
>> poor system in the current age. While the encryption is crypt is is still 
>> brute force attackable as well. There are no failed login lockouts. Nor is 
>> three the ability to have two factor authentication? Or is this something 
>> beyond what anyone out there is using. 
>> 
>> -----------------------------------------------------------------------
>> 
>> MacCafe
>> 7860 Central Ave.
>> Toledo, OH 43617
>> Phone: (419) 885-1240 X 241
>> Fax: (419) 517-2063
>> Eric Naujock  -  ACSA 10.2, 10.3, 10.4 Apple - ACTC 10.5, 10.6, 10.7, 10.8, 
>> 10.9, 10.10, -ACSP 10.11, 10.12, 10.13
>> http://www.mac-cafe.com <http://www.mac-cafe.com/>
>> email: e <mailto:e...@mac-cafe.com>r...@mac-cafe.com 
>> <mailto:e...@mac-cafe.com>
>> AOL IM: erlic
>> 
>> 
>> 
>> **********************************************************************
>> 4D Internet Users Group (4D iNUG)
>> Archive:  http://lists.4d.com/archives.html
>> Options: https://lists.4d.com/mailman/options/4d_tech
>> Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
>> **********************************************************************
> 

**********************************************************************
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**********************************************************************

Reply via email to