APPLICATION DESIGN


Password fields
A Password field is a text field that maintains a user's privacy by displaying each character a user enters as an asterisk on the screen. The contents of the Password field are not secure, and the data is visible in the Document Properties box from the IBM® Lotus® Notes® client. There are several ways to secure the contents of a Password field. If you are using the Password field as a method for securing an application, the best way to secure the contents of a Password field is not to save the contents after the entry is verified. This can be done using a formula that clears the field once it's been verified. You can use the input translation event or a LotusScript QuerySave event.

Example: Using an input translation formula

This formula is an input translation formula for a Password field. When the user enters a password, IBM® Lotus® Domino(TM) looks up the user in the Domino Directory and gets the user's HTTPPassword field. Then, it compares the value that the user inputs into the field with the HTTPPassword field. If the values match, it presents a prompt saying "You passed." If the values do not match the prompt says "You entered an incorrect password."

x:=@DbLookup("";"Server/Acme":"names.nsf";"($Users)";@Username;"HTTPPassword");

REM "This compares the value above to the value the user entered after running it through the @Password hash function and prompts the user whether they typed in a valid password or not.";

@if(@isError(x);@Prompt([OK];"Error";"Error");@Password(Password) = x;@Prompt([OK];"You passed";"You passed");@Prompt([ok];"Password failure";"You entered an incorrect password"));

REM "This deletes the password field.";

@Unavailable

Example: Using a QuerySave event

This script determines whether the Password field contains a password. If it does it gets the name of the author of the document and puts the abbreviated form of the name into the PublicEncryptionKeys field. This effectively encrypts the Password field with the author's public key. This does not involve a lookup to the Domino Directory to get the key. It is retrieved from the user's ID file.

Dim doc As NotesDocument

Dim db As NotesDatabase

Dim session As New NotesSession

Set db = session.CurrentDatabase

Set uidoc=Source

Set doc=source.Document

If doc.GetItemValue("Password")(0) <> "" Then

    Set PkName = New NotesName(doc.GetItemValue("Author")(0))

    Call doc.ReplaceItemValue("PublicEncryptionKeys", PkName.Abbreviated )

End If

Example 2: Using a QuerySave event

This script determines whether one or more password fields contains a password. If one of the fields does contain a password, the script gets the values from the Author field and the OtherEditors field (which might contain a group) and expands the OtherEditors field so that it has names and puts the abbreviated form of the name into the PublicEncryptionKeys field. This effectively encrypts the password field with the public keys for all unique entries in the two fields. This does involve a lookup to the Domino Directory to get the keys for each of the users listed, unless the only value is the name of the current user. If there is more than one name to look up, then it finds the public keys from the Domino Directory. If the only key to look up is the author's, it is retrieved from the user's ID file.

Dim s As New NotesSession

Dim db As NotesDatabase

Dim doc As NotesDocument

Set db = s.CurrentDatabase

Dim uidoc As notesuidocument

Set uidoc=source

Set doc = uidoc.document

 

If (doc.GetItemValue("Password1")(0) <> "") Or (doc.GetItemValue("Password2")(0) <> "") Then

    Call doc.ReplaceItemValue("PublicEncryptionKeys",_
   Evaluate(|@Name([Abbreviate];@Unique(Author:OtherEditors))|,doc))

End If

See Also