Protect passwod

G

Guest

Hi,

I've come across various software that allows users to retieve passwords
from .mde s and .mdb s (eBandwagon Software, TheDrideon Software, Access MDE
Unlocker to name just a few). I'm afraid that hackers will be able to
retrieve our password for only $9.99.

Has anyone any idea how to stop these softwares from retrieving passwords.

I'm in a bit of a desperate situation so any help would be greatly
appreciated

Thanking you in advance

Hazel

-----
 
T

TC

The ULS passwords are only retrievable because of a schoolboy howler
mistake in how they are encrypted in the workgroup file. It needs a
2-line fix to Jet, to stop this happening! I've given them a paper on
this. It remains to be seen if they'll fix it. It would be a huge
improvement in ULS, IMHO.

TC
 
T

TC

Hi Jeff

I gave it to Andrew Miller (the Access team lead) some time ago. He has
confirmed to me that they have reviewed it. But apparently, MS policy
prevents him saying what they plan to do with it. He did say: "I think
I can tell you that this is an area that we are looking at very
closely", so I am somewhat hopeful :)

The suggestion in question would completely prevent the instant,
reverse engineering of plaintext passwords from a workgroup file. All
such products that are currently on the market, would stop working -
and there would be no way to make them work again. There would of
course be other ways to break security - eg. brute-force searching the
whole password space - but it would no longer be possible to instantly
reverse-engineer them.

Get on to your contacts & say you heard about this & are they going to
do it? The more people ask, the more it is possible (maybe). For your
reference, my email to Andrew was titled "Access/jet security", and he
initially acknowledged it on Tuesday, 12 Apr 2005 at 09:27:49 -0700.

Cheers,
TC
(off for the day)
 
T

TC

PS. I'd be happy to give you a copy, but I don't want A.M. to think
that I am trying to work around him. I sent it to him originally, and
IMO it is now up to him what he does with it, & who he gives it to.

Regards,
TC
 
C

Chris Mills

What a complete waste of time, since this duplicitous MVP has ASSISTED putting
cracking in the mainstream.

Another MVP (Lynn Trapp), says this stuff is necessary to advertise because
some poor user might legitimately forget their password etc,etc. The security
implications are diddims, according to him.

"TC" has indicated these downloadable cracking programs should be advertised,
for the above reason.

AAMOI, SQL Server is also claimed crackable with s/w downloads, anyone can do
an internet search, but it does not necessarily follow that the information
should be publicised, as I do here in following the exemplary (snort) lead of
3 renegade MVP's.

(the other one is Tony Toews, since I mentioned 3)
Chris
 
T

TC

Chris, if you want to contribute effectively to this newsgroup, I
suggest you drop this hobby horse. We all know your opinion on this, we
do not need to hear it again. This is just my 2c, you can take it or
leave it, I will not discuss this further.

TC
 
C

Chris Mills

I will continue to advertise as directed by the named goodselves.

The opinion I have received, is that Access Cracking should be advertised by
the said good MVP, Jeff Conrad.

Is this true, that it should be advertised, or not? I don't appreciate CUTE
answers from two-character non-entities. (or anyone else, for that matter, on
security duplicity)

Chris
 
C

Chris Mills

PS I did mention privately to Tony Toews, because for some reason he asked me
(being on a Microsoft Committee for suggested improvements to Runtime), that
security could be looked at, PDW limitations, SP upgrading process, and
otherwise I was generally happy with RUNTIME. I SPECIFICALLY mentioned that
"TC" had a suggestion about password security (and quoted one thread in this
ng, though not likely original).

Would you mind contacting Tony privately about your suggestion, to make sure
he is aware of it. I don't know and don't need to know the details. To me, a
"two-line" fix sounds like a "two-line" crack, and quoting a "two-bit
anonymous identity" tends to lack clout) (even though it is obvious you are
very experienced)

The above is entirely separate from any other security issues. I don't think
Tony has generally broadcasted a request for thoughts (on runtime), but I
don't believe I breach trust, given the seriousness in which I take some
issues.

This post is given in earnest. I encourage you to promote your fix. And the
reasons for it. Vs some of the Utter Stupidity given by Lynn Trapp and others
to collect around an MVP because they thought he was under attack and NOTHING
ELSE mattered to them.
Chris
 
T

TC

Why on earth would I want to contact Tony Toews about it? What has it
got to do with the runtime?

Go back & read what I said. MS already have the suggestion in writing.

TC
 
C

Chris Mills

Well, I appreciate from your posts that you have said you are unfamiliar with
runtime (many people use it quite successfully), or you confused runtime with
other issues you had.

The relevance is that Tony is on an Access Advisory Council for Microsoft,
currently soliciting runtime requests. Runtime is a part of Access, and there
are security amongst other issues to do with runtime, even though it's
primarily a licensing system, but admittedly the linkage with ULS is tenuous.
Anyway, he was just another potential avenue to get things through to
Microsoft, even though I'm sure you and Jeff Conrad have other good ones.

Of course, I appreciate that you didn't want to "hit" the design team from too
many sides. Perfectly understandable. I'll be very pleased if your suggestion
(improve the ULS crackability) results in a diminishing of downloadable
cracking s/w as Jeff Conrad so gaily propagates.

Chris
 
T

TC

Jeff

Arghhhhhhhhh!!!

then:

Wheeeeeeeeeeeeeeee!

Access 12 will have a new version of Jet. Previously, Jet lived with
the SQL*Server team, so presumeably, the Access folks could not do
anything to or with it, unless the Server folks agreed, or did it for
them.

Now, the Access team has their own (seperate) copy of Jet, & plan to
continue enhancing it into the future! I gather that it will have a new
file format, based on Office encryption. So hopefully, all of the
previous mistakes that they made in their crypto, will not be repeated.

So, at this point, my suggestion is only relevant in so far that it
identifies a mistake that they made with their previous crypto.
Hopefully they will not make the same mistake again!

I gather that the new Jet will be fully backwards compatible - so this
might solve a whole lot of angst that folks like me have been having
about their large Access/Jet apps, & how to move those into the future.

All of this is now public knowledge: http://blogs.msdn.com/access

"Jet is dead! Long live Jet!!"

Thanks for your suggestion regarding my suggestion. I appreciated your
offer to help, though I do not appear to have said that so far!

Cheers,
TC
 
C

Chris Mills

Excellent news, TC!! Ta!!!

Does this mean that Jeff Conrad and others will no longer be able to post
Cracking Downloads? What about all the legitimate users who forget their
passwords as You and Lynn Trapp were so worried about? Goodness help them...

If a CRACK for the new s/w becomes available anywhere on the internet, should
I advertise it just like Jeff Conrad?

What's this? The blog you so proudly promulgate has nothing to do with
improved security? In this thread subject? How can that possibly be?

Chris
 
J

Jeff Conrad

Hi TC,

This information you might find interesting.
And yes, the links below are public knowledge and not under NDA.
These were some PPT presentations from PDC.

New UI stuff... Yep, Access 12 is undergoing a major facelift!
http://216.55.183.63/pdc2005/slides/OFF201_Harris.ppt
http://216.55.183.63/pdc2005/slides/OFF302_Dhanjal.ppt

Building apps on WSS is a big emphasis of this release:
http://216.55.183.63/pdc2005/slides/OFF310_Morton.ppt
http://216.55.183.63/pdc2005/slides/OFF415_Hatoun.ppt

Interested in taking advantage of managed code inside Access?
http://216.55.183.63/pdc2005/slides/OFF417_Whitechapel.ppt

Last but not least--here is the link to a developer overview session:
http://216.55.183.63/pdc2005/slides/OFF307_Covington.ppt

Here is a blog that lists all the Office sessions:
http://blogs.msdn.com/erikaehrli/archive/2005/09/19/officesharepointpdcslides.aspx

--
Jeff Conrad
Access Junkie - MVP
http://home.bendbroadband.com/conradsystems/accessjunkie.html
http://www.access.qbuilt.com/html/articles.html


in message:
 
C

Chris Mills

It would be appreciated if you would take topics outside of the OP thread
subject, Off Topic, or say so in your subject.

Access 12 deserves a new thread, I suspect.

Regards
Chris
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

MS Access program protection 15
Microsoft Access Table Security 2
OT: 97 to 2003 MDE problems 5
Open a protected file in a new window 0
DB Password Protection 1
Record/Page Locking 2
Best security practice 1
Security/Programming Question 1

Top