Universal Pin Code, for all accounts.

[skronix]

Account database query.

USE [Account]
GO
/****** Object: StoredProcedure [dbo].[cabal_sp_sub_Password_PW_Check] Script Date: 07.03.2016 19:51:32 ******/
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
ALTER PROCEDURE [dbo].[cabal_sp_sub_Password_PW_Check]
(

You must be registered to see links

int, @pwKind int,

You must be registered to see links

varchar(10),

You must be registered to see links

int = -1)
AS
begin
SET NOCOUNT ON
set @password=@password
DECLARE @SavedPassword [varbinary](72)
DECLARE @SPwd [varbinary](72)
DECLARE @SPass[varchar](72)
set @SPass='PIN CODE'
set @SPwd=pwdencrypt(

You must be registered to see links

)

if(@pwKind = 1)
begin
SELECT @SavedPassword = CharPassword
FROM cabal_sub_password_table WITH(NOLOCK)
WHERE userNum =

You must be registered to see links

end
else if(@pwKind = 2)
begin
SELECT @SavedPassword = WareHousePassword
FROM cabal_sub_password_table WITH(NOLOCK)
WHERE userNum =

You must be registered to see links

end
else if(@pwKind = 3)
begin
SELECT @SavedPassword = EquipmentPassword
FROM cabal_sub_password_table WITH(NOLOCK)
WHERE userNum =

You must be registered to see links

end
if (PWDCOMPARE(

You must be registered to see links

, @SPwd) = 1) or (PWDCOMPARE(

You must be registered to see links

, @SavedPassword) = 1)
begin
IF

You must be registered to see links

<> -1
BEGIN
if(@pwKind = 2)
begin
update cabal_sub_password_table
set WareHouseLock =

You must be registered to see links

where userNum =

You must be registered to see links

end
else if(@pwKind = 3)
begin
update cabal_sub_password_table
set EquipmentLock =

You must be registered to see links

where userNum =

You must be registered to see links

end
END
select 1,

You must be registered to see links

end else
IF @@ROWCOUNT = 0 or PWDCOMPARE(

You must be registered to see links

, @SavedPassword) <> 1
begin
select 0
end
SET NOCOUNT OFF
end

 

[ShadowGohan]

Why not just set it to allow the login if its done from a whitelisted IP- /range or even PC?
Having universal passwords sounds like a risk that has been underestimated quite a bit already

 

[skronix]

Why not just set it to allow the login if its done from a whitelisted IP- /range or even PC?
Having universal passwords sounds like a risk that has been underestimated quite a bit already

You just need to set PINCODE very complex so that intruders cannot pick up

 

[nikdra]

add ip binding

 

[ShadowGohan]

1. Make a table with whitelisted usernums (your trusted member*s)

2. See how the procedure works and whether you can make use of any of the data that is already being passed to it
2.1 - UserNum should be enough in this specific case

3. Let the procedure return the sub pass check as successful if the LastIP from the currently used account matches with one of the whitelisted ones
3.1 - Auto remove whitelisted members if the AuthType of the account is set to 2
3.2 - If you don't know how, an example would be to simply check whether the account with said IP has it's [AuthType] (cabal_auth_table) set to anything other than '1' and then refuse the sub-password check no matter what is entered
3.3 - I would recommend you to do the same with general password checks, assuming that those who use universal sub password access also use the same for the actual account login

If you need help with building the procedure I am more than happy to help, but a bit of curiousity will surely easily end up with additional knowledge coming your way and since some people learn more from learning by doing and much less from just reading, I would like to not take that away just to risk more confusion than anything.

Please do keep in mind that additional select statements tend to slow down the database
I also recommend to shrink the database logs to a reasonable degree, just dropping that in as kind of a side note as I've seen lots of databases being used with the default log size, certain additions will only speed up their already crazy disk space usage.