Bugtraq mailing list archives

Re: Microsoft Access 97 Stores Database Password as Plaintext

From: zorkeres () HOTMAIL COM (Zorkeres .)
Date: Thu, 11 Feb 1999 13:54:14 PST


I don't think this is the philosophie to follow.
If you implement a password scheme for the data base and you market it
as secure users don't have to take all the step you talk about.

What bugs me more about this "bug" is the little comment you said at the
end of your post "for what it was orignally intended for -- keeping out
unsophisticated users."  I don't think I'm the only one here that think
that should think before making comments like that.
In other words your saying to all microsoft users , "Microsoft the
legion of unsophisticated users". I will let the marketing department of
Microsfot sort that out, anyways that is the only department that really
work efficiently there. Thinking that way about security is the best way
to end up with your panths down everyone second.

From owner-bugtraq () netspace org Thu Feb 11 10:49:18 1999
Received: from netspace.org ([128.148.157.6]:40285 "EHLO netspace.org"

ident: "TIMEDOUT2") by brimstone.netspace.org with ESMTP id
<82888-18926>; Thu, 11 Feb 1999 13:26:47 -0500

Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release

1.8d) with

         spool id 712658 for BUGTRAQ () NETSPACE ORG; Thu, 11 Feb 1999

18:17:39

         +0000
Approved-By: aleph1 () UNDERGROUND ORG
Received: from mail3.microsoft.com (mail3.microsoft.com

[131.107.3.123]) by

         netspace.org (8.8.7/8.8.7) with ESMTP id VAA08340 for
         <BUGTRAQ () NETSPACE ORG>; Tue, 9 Feb 1999 21:56:26 -0500
Received: by mail3.microsoft.com with Internet Mail Service

(5.5.2524.0) id

         <D8VVC8YV>; Tue, 9 Feb 1999 18:56:10 -0800
X-Mailer: Internet Mail Service (5.5.2524.0)
Message-ID: <CB6657D3A5E0D111A97700805FFE65870B48DD52@RED-MSG-51>
Date:  Tue, 9 Feb 1999 18:56:08 -0800
Reply-To: Paul Leach <paulle () MICROSOFT COM>
Sender: Bugtraq List <BUGTRAQ () NETSPACE ORG>
From:  Paul Leach <paulle () MICROSOFT COM>
Subject:      Re: Microsoft Access 97 Stores Database Password as

Plaintext

X-To:         Jim Paris <jim () JTAN COM>
To:    BUGTRAQ () NETSPACE ORG

-----Original Message-----
From: Jim Paris [mailto:jim () JTAN COM]
Sent: Tuesday, February 09, 1999 2:46 PM
To: BUGTRAQ () NETSPACE ORG
Subject: Re: Microsoft Access 97 Stores Database Password as

Plaintext

The following text was posted to USENET, and indexed on a

Russian cypherpunk

site.  I found it when I was doing some work with Access 97

databses.  I

think you will agree that this particular "feature" makes the

linked

database password issue moot.


Most definately!


No, I claim it was _always_ moot. Even if the password were strongly
encrypted, the rest of the data in the database is not. So, unless

you've

used ACLs to protect the database, the data in it _is_ available, it's

just

a matter of a some amount of work.

Unless the programmer went to a lot of work to obscure the password

storage,

the following procedure should work on nearly any of that generation of
applications that pretended to "password protect" their files in the

absence

of file system security:

1. Create as small a database/file as possible, with an empty password.
2. Copy it.
3. Change the password on one copy
4. Diff the databases/files -- this will isolate even a strongly

encrypted

encrypted blank password.
5. Copy the target
5. Copy the encrypted blank password into the same offset in the copy

of the

target database/file.

On the other hand, if you used ACLs to protect the database/file, then

you

could use a blank password, and it wouldn't matter.

It is a fundamental security principle that effective security checks

must

be enforced by something that can _not_ be bypassed. Since, without

ACLs or

using the password to encrypt the whole database/file, there is no way

to

prevent the password checking from being bypassed, the approach is only

good

for what it was orignally intended for -- keeping out unsophisticated

users.


Paul



______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

Current thread:

Re: Microsoft Access 97 Stores Database Password as Plaintext, (continued)
- - - Re: Microsoft Access 97 Stores Database Password as Plaintext Billy Naylor (Feb 12)
    - Re: Microsoft Access 97 Stores Database Password as Plaintext Ian Smith (Feb 12)
    - Applets listening on Sockets in Java Tim Wright (Feb 12)
    - Applets listening on Sockets in Java Lincoln Stein (Feb 13)
    - Re: Applets listening on Sockets in Java Tim Wright (Feb 15)
    - palmetto.ftpd vulnerability clarification. Jordan Ritter (Feb 12)
    - Microsoft Security Bulletin (MS99-005) aleph1 () UNDERGROUND ORG (Feb 12)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Will Cox (Feb 09)
  - Re: Microsoft Access 97 Stores Database Password as Plaintext Michael Nelson (Feb 12)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Paul Leach (Feb 09)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Zorkeres . (Feb 11)