By pass mde to change it

[FuzMic]

Hi friends

Is it easy for a person with little msaccess knowledge to go behind a mde file to by pass password to open the data mdb and also get password kept in an encrypted text file to continue to the next form.

I have been living with this belief

You can't convert an .MDE database to a .MDB database - when the .MDE was created, all source code of the VBA modules in the database was removed; there is no way to reconstruct it.
You can copy the tables from the .MDE database to a new (or existing) .MDB or .ACCDB database.
You'd have to get hold of the .MDB file that was originally used to create the .MDE database if you need to edit the design of the reports, forms and code modules.

However my mde seem to have been so easily compromised so that all data kept in a password control mdb is exposed. Tomorrow back at the office i will know if the mde has really been compromised.

If it is so easy, how can be protect our data? Does the mde to exe compiler as advertised in the web work and will it protect the mde better. :banghead:

 

[Galaxiom]

All that you said is true but ...

The backend password in an mde is easy to find by opening the file with a text editor. It is right next to the string PASSWORD. Moreover all strings in the code are stored as plain text so even if you write your own security in code it is exposed unless you hash the critical strings.

However, no matter what you do, an Access backend is always vulnerable because the attacker need only copy the file and take it offsite to break in at their leisure.

If you need security then you need a database server so that the data file is not exposed.

 

[FuzMic]

Thanks friend

The text file is hash so it is not so easy

I did look at a passworded mdb with notepad++, i can't seem to search/find/nocase the word 'password'.

I even create a blank new mdb access.02, password it, convert to mde. Both mdb & mde have no easy indication of the password in notepad, notepad+, notepad++. What did i miss

Have you tried converting to .exe and does it work.

 

[Galaxiom]

The text file is hash so it is not so easy
I did look at a passworded mdb with notepad++, i can't seem to search/find/nocase the word 'password', what did i miss.

I might be wrong about the exact word.

Try searching for your actual backend password. I have definitely seen this vulnerability before.

Have you tried converting to .exe and does it work.

Not tried it but if it is the product I have seen discussed before then it is basically a wrapper and doesn't make a true exe. Still would not fix the backend vulnerability.

I would urge you to take on a database server for your back ends. You won't look back once you climb the initial learning curve.

I am lucky because in my environment I have a full MS SQL server and all permissions are managed on the domain controller.

 

[FuzMic]

Ok my app are for tiny setup, so never look at data service. If i had to start i would look at mysql for a start. The advantage or disadvantage of a data server, all administration are done separately by the server ie manage the server. With mdb just dos zip backup is very fast and easy within my app.

But for the good news, with my various layers of protection, it was not compromised, it was a false alarm. I now sleep very well since you have only remember it but not sure.

Noted the wrapper view. Thanks again.

 

[Galaxiom]

I have only worked with MS SQL Server.

The fine grained security and data capacity of a database server are only the beginning.

Backup is built in to the server and the database can be backed up with the users still working in it. When you want a copy of the live data, just back up and restore to another database. Backups can be full or incremental. It is even possible to have the database log every transaction and roll back to a nominated point in time.

It enables you to take most of the important queries out of the front end and replace them with server Views. If you like to write SQL then you will appreciate the query editor doesn't screw with the formatting like Access. TSQL is a slightly different dialect from Access but soon picked up.

The MS SQL Server Management Studio is pretty good once you grasp the basics.

Even the cut down free version is a significant upgrade from mdb/accdb storage in every way. 10GB of data and much more tolerant of slow connections than Access.

Access has the Upsize to SQL Server wiazard so why not give it a try with the free version and see how you like it?

 

[gemma-the-husky]

mde's

it is worth looking at the website everythingaccess.com for a discussion and demonstration of what can actually be recovered from a supposedly safe mde database.

for reasons discussed there I now have hardly any public global constants. I add a level of encryption to critical items within the database. (similar to what Galaxion suggested). And I do actually use the code protector from EverythingAccess.

with regard to the OP.

Do not store passwords in plain text. Even a simple xor encryption with a suitable obscure codephrase should be sufficient to deter most amateurs. Don't worry too much about the data being exposed. Pretty well all applications expose their data.

 

[smig]

As I see it an MDE file is mostly to protect your code, not your data.

 

[Galaxiom]

Do not store passwords in plain text. Even a simple xor encryption with a suitable obscure codephrase should be sufficient to deter most amateurs.

As my dad used to say, "Locks are to keep the honest people out."

Don't worry too much about the data being exposed. Pretty well all applications expose their data.

Yes but you may need to control who it is exposed to. That requirement is central to the industry I work in. Critical data must be protected and Access simply cannot do it.