Re: 4D authentication system that allow for stronger security.

[Maurice Inzirillo - AJAR via 4D_Tech]

> On 6 Sep 2019, at 16:50, Eric Naujock <e...@mac-cafe.com> wrote:
> 
>>> 
>>> 4. No account lockouts for fail authentication attempts. An attacker 
>>> can just continuously try usernames and passwords indefinitely. 
>> the only workaround is to have to write your own login dialog.
>> I do not know if this is viable for iOS or web based access.
> 
> Yep, That is a definite roll your own. But if you want to be seriously 
> considered in this day and age with a security focused department you best 
> have this as an option. 

4D is using BCrypt algorithm which is slow by design to hash the password. More 
about it :

https://en.wikipedia.org/wiki/Bcrypt

There is a 4D function and a 4D command that can be used to change the current 
user and validate a password :

- Validate password

- CHANGE CURRENT USER

The command execution of both are delayed to prevent flooding (brute force 
attack). As a result, after the 4th call to these commands, it is run only 
after a period of 10 seconds. This delay is throughout the entire work station. 
So brute force is not really a big issue here !


Maurice Inzirillo
-- 
AJAR S.A.

https://ch-fr.4d.com
twitter: ajar_info
Tél : +41 (0)323422684

**********************************************************************
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**********************************************************************