Bugtraq mailing list archives
Re: Microsoft Access 97 Stores Database Password as Plaintext
From: paulle () MICROSOFT COM (Paul Leach)
Date: Tue, 9 Feb 1999 18:56:08 -0800
-----Original Message----- From: Jim Paris [mailto:jim () JTAN COM] Sent: Tuesday, February 09, 1999 2:46 PM To: BUGTRAQ () NETSPACE ORG Subject: Re: Microsoft Access 97 Stores Database Password as PlaintextThe following text was posted to USENET, and indexed on aRussian cypherpunksite. I found it when I was doing some work with Access 97databses. Ithink you will agree that this particular "feature" makes the linked database password issue moot.Most definately!
No, I claim it was _always_ moot. Even if the password were strongly encrypted, the rest of the data in the database is not. So, unless you've used ACLs to protect the database, the data in it _is_ available, it's just a matter of a some amount of work. Unless the programmer went to a lot of work to obscure the password storage, the following procedure should work on nearly any of that generation of applications that pretended to "password protect" their files in the absence of file system security: 1. Create as small a database/file as possible, with an empty password. 2. Copy it. 3. Change the password on one copy 4. Diff the databases/files -- this will isolate even a strongly encrypted encrypted blank password. 5. Copy the target 5. Copy the encrypted blank password into the same offset in the copy of the target database/file. On the other hand, if you used ACLs to protect the database/file, then you could use a blank password, and it wouldn't matter. It is a fundamental security principle that effective security checks must be enforced by something that can _not_ be bypassed. Since, without ACLs or using the password to encrypt the whole database/file, there is no way to prevent the password checking from being bypassed, the approach is only good for what it was orignally intended for -- keeping out unsophisticated users. Paul
Current thread:
- Re: Microsoft Access 97 Stores Database Password as Plaintext, (continued)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Ian Smith (Feb 10)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Billy Naylor (Feb 12)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Ian Smith (Feb 12)
- Applets listening on Sockets in Java Tim Wright (Feb 12)
- Applets listening on Sockets in Java Lincoln Stein (Feb 13)
- Re: Applets listening on Sockets in Java Tim Wright (Feb 15)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Ian Smith (Feb 10)
- palmetto.ftpd vulnerability clarification. Jordan Ritter (Feb 12)
- Microsoft Security Bulletin (MS99-005) aleph1 () UNDERGROUND ORG (Feb 12)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Michael Nelson (Feb 12)