Good morning, I did take a look at that article a short while ago. Its an interesting read and they do have a number of interesting security options available. But there is still the fundamental issue that the gateway or login process is one that can be hacked and sometimes quite easily die to the lack of modern protections. When it was released it was pretty good but lately as I look closer at it with questions from a state government security person I can see a number of glaring holes that should be filled. These are the biggest ones I see.
1. Passwords are only alphanumeric. 2. No two factor options. 3. Usernames and password are stored in the Structure file. (Very bad if your revving structure files during continuous developemnt. 4. No account lockouts for fail authentication attempts. An attacker can just continuously try usernames and passwords indefinitely. 5. The AD options require that you serve from a windows server bound to and AD system. You cannot use this if you have Mac clients or a Apple server. 6. No ability to define password difficulty or force password changes periodically. (I know that need to change passwords regularly has been debunked but most govt. best practice documents still believe that’s the way to go.) Thanks for the feedback. > On Sep 6, 2019, at 3:22 AM, Maurice Inzirillo - AJAR > <maurice.inziri...@ajar.ch> wrote: > > Hi Eric, > > Regarding 4D security I recommend to read this special 4D Security Guide to > get a full idea of what 4D offers > > https://blog.4d.com/4d-security-guide/ > <https://blog.4d.com/4d-security-guide/> > > > Best regards, > > Maurice Inzirillo > -- > AJAR S.A. > > https://ch-fr.4d.com <https://ch-fr.4d.com/> > twitter: ajar_info > Tél : +41 (0)323422684 > > > > >> On 5 Sep 2019, at 16:22, Eric Naujock via 4D_Tech <4d_tech@lists.4d.com >> <mailto:4d_tech@lists.4d.com>> wrote: >> >> Does anyone have a replacement login system for 4D that offers stronger >> authentication security than the current system. Since the current system >> does not enforce password changes, or password complexity it is a pretty >> poor system in the current age. While the encryption is crypt is is still >> brute force attackable as well. There are no failed login lockouts. Nor is >> three the ability to have two factor authentication? Or is this something >> beyond what anyone out there is using. >> >> ----------------------------------------------------------------------- >> >> MacCafe >> 7860 Central Ave. >> Toledo, OH 43617 >> Phone: (419) 885-1240 X 241 >> Fax: (419) 517-2063 >> Eric Naujock - ACSA 10.2, 10.3, 10.4 Apple - ACTC 10.5, 10.6, 10.7, 10.8, >> 10.9, 10.10, -ACSP 10.11, 10.12, 10.13 >> http://www.mac-cafe.com <http://www.mac-cafe.com/> >> email: e <mailto:e...@mac-cafe.com>r...@mac-cafe.com >> <mailto:e...@mac-cafe.com> >> AOL IM: erlic >> >> >> >> ********************************************************************** >> 4D Internet Users Group (4D iNUG) >> Archive: http://lists.4d.com/archives.html >> Options: https://lists.4d.com/mailman/options/4d_tech >> Unsub: mailto:4d_tech-unsubscr...@lists.4d.com >> ********************************************************************** > ********************************************************************** 4D Internet Users Group (4D iNUG) Archive: http://lists.4d.com/archives.html Options: https://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **********************************************************************