Access should not expose SQL UserID / Passwords

[Guest]

I was researching security issues for a client - After logging into SQL
Server with an Access application (Access front-end) (SQL Server back-end)
the User ID and Password used to log into SQL Server remains visible and
readable in the MDB and possibly in the MDE. This was proven by using a
binary file reading application and searching for the MDB for the phrase
password.

 

[Gijs Beukenoot]

Mike_In_Indy schreef :

I was researching security issues for a client - After logging into SQL
Server with an Access application (Access front-end) (SQL Server back-end)
the User ID and Password used to log into SQL Server remains visible and
readable in the MDB and possibly in the MDE. This was proven by using a
binary file reading application and searching for the MDB for the phrase
password.

So? It will also be visible in a VB app or ....

Possible solution
Make an MDE (code is protected) and 'break' your (hardcoded) userID and
pwd in two or three strings

private const strpwd1 as string = "Pas"
private const struser2 as string = "ser"
private const strpwd2 as string = "sw"
private const struser1 as string = "U"
private cosnt strpwd3 as string = "ord"

public const strusername as string
pulbic const strpassword as string

Somewhere in the code you add them up like
strusername = struser1 & struser2
strpassword = strpwd1 & strpwd2 & strpwd3


Or make an encryption on them
P = Q
A = B
S = T
S = T
W = X
etc.

 

['69 Camaro]

Hi, Mike.


I see that you've posted this message in Microsoft's Online Communities Web
site as a "suggestion" awaiting a response from Microsoft, but since your
message is posted in UseNet, don't be surprised if non-Microsoft experts
post responses to this message.

After logging into SQL
Server with an Access application (Access front-end) (SQL Server back-end)
the User ID and Password used to log into SQL Server remains visible and
readable in the MDB and possibly in the MDE.

Fear not. It's in the MDE database file, as well.

This was proven by using a
binary file reading application and searching for the MDB for the phrase
password.

That would be the "hard way" to find it. There are easier ways to easily
view this information for anyone who has a copy of Microsoft Access (same
version as you have, or higher), or Windows 2K (or a more recent Windows
operating system), or MDAC 2.1 or higher.

Since you posted this message as a "suggestion" -- and will wait for a
response from Microsoft -- instead of as a question, I will merely inform
you that an experienced database developer can easily hide this connection
string information from users. ;-)

HTH.

Gunny

See http://www.QBuilt.com for all your database needs.
See http://www.Access.QBuilt.com for Microsoft Access tips.

(Please remove ZERO_SPAM from my reply E-mail address, so that a message
will be forwarded to me.)

 

[david epsom dot com dot au]

Access saves connection information in the database.
VB does not have a database, so you only need to encrypt
the stored values in code.

In Access, the link information for each linked table
is stored in a table. You can't encrypt the link: if
you are not using Trusted Connections, you either need
to clear the table links or encrypt the entire database
file.

(david)