Password field encryption (1 Viewer)

hiya,
I have a 2007 front-end/back-end access database that uses and username/password authentication method based on a form, all is working fine and well, but the problem is that the passwords are stored in the table as simple text, and even when using a Password input mask, anyone who manages to access the back-end dbase file directly could easily remove that and see all the stored passwords.

So, is there a way to encrypt/decrypt the passwords so that it could only be revealed or decrypted using a form within the front-end file? or any method of that sort?

Thanks.

Technically, since encryption is just applying a mathematical algorithm to a string of characters, you could create your own VBA functions to encrypt & decrypt passwords.

Put these functions in an external database with links to the table holding the passwords and anyone accessing the BE wouldn't see the functions.

CBrighton:
How can I create these functions? I'm just a beginner, I don't know how to do that

a simple way to deter casual hackers is to use xor

if you xor each character in a string with a given value, you will get an encrypted string. the nice thing about xor, is that if you repeat the process, you get the original string back.

a one time use encryption would be pretty hard to unscramble.

Hi bakkouz.

You should be looking at a hash function. It is a one way encryption. Common ones are MD5 or SHA1 (google them and have a look)

The idea is that: when a user saves his/her password, your code encrypts the password using the hash function, and saves the encrypted version in your database.

Later when the user authenticate him/herself, he/she enters the password, your code runs the hash function to encrypt again what they have entered as the password, and compares that against the already encrypted one in the table.

MD5 and SHA1 are Ok but they are not considered to be strong if your users have dictionary based passwords.

Hope it makes sense.

obviously all of this depends on you using an mde, rather than a mdb - as if users can get at your code, any protection is moot

Forgive me to be contrary to what has been said.
One way hash functions were designed for security purposes.

That is to say that: even if your adversary obtained a copy of the function (i.e. the vba code) of the hash function, and also obtained a list of the encrypted password(s), there is no reversible function that the adversary can "decode" and recover the original password(s).

However, due to recent technological breakthrough in computing speed, people has been spending CPU/GPU time encrypting all possible and common words in the dictionary using MD5 and SHA1 functions. (note: they cannot "decrypt" but yet they can "ENcrypt" most commonly used possibilities and check against them"). This is a brute-force approach.

What it means is that if one were to use a common word (e.g. john), then its's hash value (527bd5b5d689e2c32ae974c6229ff785) has already been calculated so it is easy to look up. (see md5.rednoize.com)

However if one were to use a non-dictionary and a long (14 characters with numbers) password, MD5 and SHA1 are reasonably secure for the purpose for a few months/years to come.

You may also consider using SHA-256 or RIPEMD. In any event the user password should use a non-dictionary based and long (10 char+)

gemma-the-husky said:

obviously all of this depends on you using an mde, rather than a mdb - as if users can get at your code, any protection is moot

Click to expand...

penguino29

that's a good point.


i have been using a mixture of reversible encryption, and hash functions to try and protect some databases.

I was more concerned with concealing and obfuscating what i was doing, and it hadn't occurred to me that you can disclose that you are using a hashing function, as the original value cannot be retrieved, but of course you are right.

it depends of course whether you need to retrieve the original value in the program.