Re: Microsoft Access 97 Stores Database Password as Plaintext

[marillal () nampak co za (Allan Marillier)]

Did you read all the steps involved in recreating this? It _does_
work. See steps 7 and 8 in the original message: Create a NEW
mdb, and link it to the original. The password _is_ stored in the
newly created file in plain text.

The origianl message said that the password is stored in the
second file. No claim was made that it is in the original. The
point being made was not that passwords in a single mdb are at
risk, but that an mdb that links to a password protected file
places the original at risk.

Ricardo Peres wrote:
> Hello,
>
> I have several password-protected MS Access databases, and *none* of
> them has it's password stored as plain text... Your exploit never worked!

<snip>

> > Microsoft Access 97 databases protected with a password are stored in
> > foreign mdb's table attachements as plaintext.  This can be accessed
    ^^^^^^^^^^^

<snip>

> >  7. Create another mdb
> >  8. From the File Menu, select Get External Data, and click Link Tables....
> > Select
> >     the passworded mdb and then select the table you created.
> >  9. Exit Access
> > 10. Perform a strings+grep on the 2nd mdb to reveal the password.