Re: Microsoft Access 97 Stores Database Password as Plaintext

[ervin () NAME NET (Ervin Fried)]

"Donald Moore (MindRape)" wrote:

> Microsoft Access 97 databases protected with a password are stored in
> foreign mdb's table attachements as plaintext.

Even if the above it's bad, at least is documented.

> From Access97 help:

----
topic: About linking tables from a password-protected database

To link a table from a Microsoft Access database that is password-protected,
you must supply the correct password.
If you supply the correct password, Microsoft Access stores the database
password with the information that defines the link to the table.
After the link has been defined, any user who can open the database that
the table is linked to can open the linked table. When a user opens the
linked table, Microsoft Access uses the stored password to open the database
where the table is stored. If the password is changed for the database
where the table is stored, the next time the linked table is opened,
the new password must be supplied before Microsoft Access will open it.

Microsoft Access stores the database password in an unencrypted form.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

If this will compromise the security of the password-protected database,
you should not use a database password to protect the database.
Instead, you should define user-level security to control access to
sensitive data in that database.
For more information on user-level security, click  >>
------

Some good news:
Passwords for linked tables pointing to an ODBC datasource are not stored
in database (at least not in plaintext) in the default config.

The password can be stored if you insist.
(if you link manually, then there is a 'Save password checkbox')

and there is the system table MSysConf.

again from the help:
==
Use the MSysConf table with linked SQL databases

If you are administering an SQL database that uses Microsoft Access as a
front
 end, you can create a table in your SQL database named MSysConf to help you
 control communication between the two applications.
The MSysConf table has two potential functions:

1.      It can disable the feature that enables users to save the logon ID
and password for a linked SQL database in the Microsoft Access front end.

[snip]

The data in the MSysConf table

There are three valid records in the MSysConf table.
The following table shows what values you should enter in the Config and
nValue
field. The other columns are reserved for future use, and their contents are
ignored.

Config  nValue  Meaning
101     0       Don't allow local storage of the logon ID and password in linked
                tables.


101     1       Allow local storage of the logon ID and password in linked tables.

======

this may give a workaround for the plaintext problem:
don't link directly to the .mdb, but set-up an ODBC datasource and
link to your tables via that datasource.
the above may not work.
i'm trying to do it for the last hour, and Access hangs after i select the
ODBC DSN.


Another issue: while looking ate mdb files in a text editor, i noticed
that the files contain 'garbage' info also (random memory
content, since it was info i typed minutes ago).
'compact database' didn't help.

I can't tell much about this yet, but i remember this was an
issue with Mac versions of MSOffice software



Regards,

Ervin