An Observation Regarding Microsoft Access Security That Might Interest You (1 Viewer)

Was this article interesting to you ?

  • Yes very !

    Votes: 0 0.0%

  • Yes

    Votes: 1 100.0%

  • I knew that

    Votes: 0 0.0%

  • Nope

    Votes: 0 0.0%

  • Some confusing piece!

    Votes: 0 0.0%
  • Total voters
    1
D

datAdrenaline

AWF VIP
Local time
Today, 00:52
Joined
Jun 23, 2008
Messages
697
Ok ... here are a few of my security links ...

How to handle the absence of ULS with ACCDB format ...

vPPC (Virtual Password Protected Connection)

Note ... it is a HUGE thread, but the post I link you to is the "core" of vPPC. Also, please take note that the concept works with the MDB format as well but since the strength is dependant upon the DATABASE password, the protection achieved is much greater with A2007 than with A2003 and lower.

Regardless of the ability to break A2003 pwd's, I use the vPPC method in almost every new app I create. I find it simple and robust enought to make folks turn away ... but like I said, I am in a fairly controled environment and if employees are found out to be fishing around in the data and/or the app, without a buisness need to do so (ie: I am not around, and something is broke and skilled folks are trying to fix it) then it is grounds for "discipline" which may include termination ... Now, vPPC (especially vPPC/Enhanced) with A2007 is really quite strong, but I'm sure its not impervious.

...

Here's another one with ULS ... How to achieve ULS without having to enter a uid and pwd ...

ULS without entry of uid and pwd

...

Linked SQL Server tables WITH OUT storing the userid and pwd in the linked table def ... and with out being prompted (this is similar to vPPC) ...

SQL Server Linked Tabledefs ... no uid and pwd in the linked table def
 
nIGHTmAYOR

nIGHTmAYOR

Registered User.
Local time
Yesterday, 22:52
Joined
Sep 2, 2008
Messages
240
Banana i use a technique i created , the passwords user stores run through an algorythm that generates a long serial number , i made sure the equation cant be reversible by division and losing decimals in different sections that even i cant reconstruct passwords which i even save in a different table than usernames , then on login provided password would run through same algorythm and cross checking resulting figures .. see even if the algorythm falls in the wrong hands reconstructing passwords is rendered impossible.
now i was told that such technique is close to how md5 operates but i'm not realy sure.
 
B

Banana

split with a cherry atop.
Local time
Yesterday, 22:52
Joined
Sep 1, 2005
Messages
6,318
I don't know either, but FWIW, you can get modules for MD5 and SHA-256 in Visual Basic (and it works in VBA, too) for free, if you google for it. I use both among with my salting technique.

Yes, both MD5 and SHA-256 (and various other algorithms) are usually designed to reveal nothing even if in wrong hands. Bruce S., whom wrote the Blowfish algorithm believed that the algorithm should be open source because if there is a weakness, then the exploiter will use it, so it should be able to stand the scrutiny and still go nowhere closer to discovering the password. I quite agree with his argument.

This is my go-to site for cryptography.
 
B

Banana

split with a cherry atop.
Local time
Yesterday, 22:52
Joined
Sep 1, 2005
Messages
6,318
B

Banana

split with a cherry atop.
Local time
Yesterday, 22:52
Joined
Sep 1, 2005
Messages
6,318
That was a honest question. I'd like to know if there was a flaw in that proposition.

And no, I've not used it as I saw no need for it.
 
D

datAdrenaline

AWF VIP
Local time
Today, 00:52
Joined
Jun 23, 2008
Messages
697
Hello Banana ...

>> Now that made me wonder- why not use MSysConf[ig] table to prevent saving passwords on FE? <<

(note: the name of the actual table is MSysConf, for more info:
http://office.microsoft.com/en-us/access/HP051876211033.aspx)

I think that would be a good addition to the technique! Where I run into problems is if the SQL Server is set up to use both Trusted Connections and SQL Server Authentication, it seems that Access will try to use a Trusted Connection, so if the Windows user has permissions, then they can get in ... but I guess It kind of pointless to figure out a way to keep priveledged users out! ... It's been a while since I have used the SQL Server technique (I beleive creating a recordset will to the same task as creating a Linked TableDef) ... I may have to revisit the topic ...
 
You must log in or register to reply here.

Similar threads

V
Solved Security Risk Microsoft has blocked.....
Replies
17
Views
228
The_Doc_Man
The_Doc_Man
I
Solved Error -2146232576 in SHA256: Automation error in ms access
Replies
19
Views
1,198
isladogs
isladogs
G
Best Practices for Preventing Unauthorized Access to SQL Server in Access Applications
Replies
2
Views
261
Pat Hartman
P
M
Solved Microsoft Access Security Notice
Replies
17
Views
1,963
Marshall Brooks
M
N
Implementing Parameterized Queries in DAO for Enhanced Security in Access- SQL Server Application
Replies
12
Views
633
mdlueck
M

Users who are viewing this thread

Total: 1 (members: 0, guests: 1)
Top Bottom