Access vs Comercially available databases (4 Viewers)

[Isaac]

I never said to use service accounts. No one ever asked me what I do, you all just poo-pooed the issue so I didn't bother.

Okay humor me. You don't use Windows authentication for SQL server backends the only other option is SQL server authentication which means you do use a service account.

 

[BlueSpruce]

Okay humor me. You don't use Windows authentication for SQL server backends the only other option is SQL server authentication which means you do use a service account.

I once dealt with a biz that only used service accounts and granted dba to public because they didn't want to bother with security obstacles. They went bankrupt in a couple of years

 

[Pat Hartman]

Each user has an individual account but I pick the password so he doesn't know it. His windows login won't work. He logs into the Access app using whatever password he choose and the app logs into the server and links the tables using a password that only the DBA and I know. There are two ways to do this. Either a hardcoded password which the DBA and I must change frequently or a generated password. I give the DBA a database he can use to generate a password for the user and I use the same code. There are lots of ways to generate a password that is based on a string that is the user's login. Corporate logins are assigned by IT and so I start with that value. Then I make the password 30 characters and append a string to the end of the login string with enough characters to bring it up to 30. Then I pick some method of choosing characters from that string in some order to create the password. So even from the left and odd from the right or whatever. The appended string should contain numbers and any special characters that the server password rules allow.

When the app closes, the tables are deleted to remove the links although the password isn't saved in the link.

 

[BlueSpruce]

Each user has an individual account but I pick the password so he doesn't know it. His windows login won't work. He logs into the Access app using whatever password he choose and the app logs into the server and links the tables using a password that only the DBA and I know. There are two ways to do this. Either a hardcoded password which the DBA and I must change frequently or a generated password. I give the DBA a database he can use to generate a password for the user and I use the same code. There are lots of ways to generate a password that is based on a string that is the user's login. Corporate logins are assigned by IT and so I start with that value. Then I make the password 30 characters and append a string to the end of the login string with enough characters to bring it up to 30. Then I pick some method of choosing characters from that string in some order to create the password. So even from the left and odd from the right or whatever. The appended string should contain numbers and any special characters that the server password rules allow.

When the app closes, the tables are deleted to remove the links although the password isn't saved in the link.

So the appended string is salted. I use a passwordless Yubico security key to login.

 

[Pat Hartman]

If the client wants to provide hardware keys that's fine but it doesn't solve the problem we were discussing.

 

[BlueSpruce]

If the client wants to provide hardware keys that's fine but it doesn't solve the problem we were discussing.

The point I make with security keys is the client doesn't know the authentication key value. The issue your discusing is the use of service accounts, which can easily fall into the wrong hands and then how do you know who perpetrated a hack?