C
clifgriffin
I've written a password management application using .NET and c# that
stores several lists of passwords in a password protected Microsoft
Access database.
My first question is this...
1. Is Access 2007 security formidable? I know in previous versions,
there many utilities that would remove or reveal the password. How
easy is it to circumvent Access 2007's beefed up encryption?
I relied on the Microsoft model of handling database connections.
They
store a global connection string in the application settings, which
unfortunately includes a password. The problem with this, obviously,
is that you can simply run strings against the compiled application
to
find the password to my database in plaintext.
This obviously defeats the purpose of all the security and hashing
done in the rest of the application. This one little password gives
them access to all lists.
So my second question is...
2. Assuming access 2007 security is sufficiently hard to crack, how
can I obscure or encrypt the password for the database in my code
without having it directly related to user input. (Impratical since I
have multiple passwords.)
The solution does not have to be 100% unbreakable. We have more
layers
of protection than just this utility (including a windows account
password, and a fingerprint reader).
But it should be at least secure enough that someone cannot simply
run
strings against the binary to get the password to the database with
all of our other passwords.
Any ideas?
Thanks in advance,
Clifton
stores several lists of passwords in a password protected Microsoft
Access database.
My first question is this...
1. Is Access 2007 security formidable? I know in previous versions,
there many utilities that would remove or reveal the password. How
easy is it to circumvent Access 2007's beefed up encryption?
I relied on the Microsoft model of handling database connections.
They
store a global connection string in the application settings, which
unfortunately includes a password. The problem with this, obviously,
is that you can simply run strings against the compiled application
to
find the password to my database in plaintext.
This obviously defeats the purpose of all the security and hashing
done in the rest of the application. This one little password gives
them access to all lists.
So my second question is...
2. Assuming access 2007 security is sufficiently hard to crack, how
can I obscure or encrypt the password for the database in my code
without having it directly related to user input. (Impratical since I
have multiple passwords.)
The solution does not have to be 100% unbreakable. We have more
layers
of protection than just this utility (including a windows account
password, and a fingerprint reader).
But it should be at least secure enough that someone cannot simply
run
strings against the binary to get the password to the database with
all of our other passwords.
Any ideas?
Thanks in advance,
Clifton