Access should not expose SQL UserID / Passwords

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

Mike_In_Indy - 27 Nov 2004 13:39 GMT

I was researching security issues for a client - After logging into SQL
Server with an Access application (Access front-end) (SQL Server back-end)
the User ID and Password used to log into SQL Server remains visible and
readable in the MDB and possibly in the MDE. This was proven by using a
binary file reading application and searching for the MDB for the phrase
password.

Reply to this Message

Gijs Beukenoot - 27 Nov 2004 14:14 GMT

Mike_In_Indy schreef :

> I was researching security issues for a client - After logging into SQL
> Server with an Access application (Access front-end) (SQL Server back-end)
> the User ID and Password used to log into SQL Server remains visible and
> readable in the MDB and possibly in the MDE. This was proven by using a
> binary file reading application and searching for the MDB for the phrase
> password.

So? It will also be visible in a VB app or ....

Possible solution
Make an MDE (code is protected) and 'break' your (hardcoded) userID and
pwd in two or three strings

private const strpwd1 as string = "Pas"
private const struser2 as string = "ser"
private const strpwd2 as string = "sw"
private const struser1 as string = "U"
private cosnt strpwd3 as string = "ord"

public const strusername as string
pulbic const strpassword as string

Somewhere in the code you add them up like
strusername = struser1 & struser2
strpassword = strpwd1 & strpwd2 & strpwd3

Or make an encryption on them
P = Q
A = B
S = T
S = T
W = X
etc.

Signature

Your eyes are weary from staring at the CRT. You feel sleepy. Notice
how restful it is to watch the cursor blink. Close your eyes. The
opinions stated above are yours. You cannot imagine why you ever felt
otherwise.

Reply to this Message

david epsom dot com dot au - 29 Nov 2004 03:18 GMT

Access saves connection information in the database.
VB does not have a database, so you only need to encrypt
the stored values in code.

In Access, the link information for each linked table
is stored in a table. You can't encrypt the link: if
you are not using Trusted Connections, you either need
to clear the table links or encrypt the entire database
file.

(david)

> Mike_In_Indy schreef :
> > I was researching security issues for a client - After logging into SQL
[quoted text clipped - 30 lines]
> W = X
> etc.

Reply to this Message

'69 Camaro - 27 Nov 2004 14:17 GMT

Hi, Mike.

I see that you've posted this message in Microsoft's Online Communities Web
site as a "suggestion" awaiting a response from Microsoft, but since your
message is posted in UseNet, don't be surprised if non-Microsoft experts
post responses to this message.

> After logging into SQL
> Server with an Access application (Access front-end) (SQL Server back-end)
> the User ID and Password used to log into SQL Server remains visible and
> readable in the MDB and possibly in the MDE.

Fear not. It's in the MDE database file, as well.

> This was proven by using a
> binary file reading application and searching for the MDB for the phrase
> password.

That would be the "hard way" to find it. There are easier ways to easily
view this information for anyone who has a copy of Microsoft Access (same
version as you have, or higher), or Windows 2K (or a more recent Windows
operating system), or MDAC 2.1 or higher.

Since you posted this message as a "suggestion" -- and will wait for a
response from Microsoft -- instead of as a question, I will merely inform
you that an experienced database developer can easily hide this connection
string information from users. ;-)

HTH.

Gunny

See http://www.QBuilt.com for all your database needs.
See http://www.Access.QBuilt.com for Microsoft Access tips.

(Please remove ZERO_SPAM from my reply E-mail address, so that a message
will be forwarded to me.)

Reply to this Message