Re: Microsoft Access 97 Stores Database Password as Plaintext

[FernaldB () ATNCOM COM (Fernald, Brian)]

->At this point, didn't you have to enter the password of the first mdb to
get access to it?
->

Only at the time of creating the link table do you need to know the
password.  That is why it is stored in the second 'linked' .mdb file. (or so
I assume)


->If not, then it seems like that's _actually_ the bug: you got
->access to a password protected database without having to know the
password.

which seems to be  the case.

->Finally, why wouldn't ACLs be used to protect the database instead of
passwords?

I tested it with varying permissions to both mdb files. Applying Read Only
permissions on the mdb file still allowed you to view the plaintext
passwords, when applying No Access it would not work (As it should) however,
that would effectively render the linked table useless.

Mileage may vary with using ACL's here though, if a user has a legitimate
need to view the data in the linked table (but not modify it) then they must
have some access to the file.  Being able to view the password would allow
the user to elevate their privileges and allow them to modify the data.

You can also set permissions within Access to the various database objects,
I haven't had time to investigate their impact on this tho.


I am also not an Access Guru.. ;-)

bf.