Access user passwords crack

[Sergei Gorkov]

Hi, guys!
There're different kinds of software that can read system.mdw files and
extract passwords easily. Which means that whoever wants to get access to
the DB can do it (like I'm a regular user -- means I have at least
read-access to .MDW file, right. SO, I can run the cracker and get unlimited
access). Am I missing something?
I'm an application developer. I badly need to avoid this security hole.

All help would be greatly appreciated.

 

[TC]

Hi, guys!
There're different kinds of software that can read system.mdw files and
extract passwords easily. Which means that whoever wants to get access to
the DB can do it (like I'm a regular user -- means I have at least
read-access to .MDW file, right. SO, I can run the cracker and get unlimited
access). Am I missing something?
I'm an application developer. I badly need to avoid this security hole.
All help would be greatly appreciated.

MS screwed-up how they used the DES cipher to encrypt passwords. At
present there is no way around this weakness. However, there is a
(literally) 1-line fix for the problem. I plan to suggest this to them
in due course.

Note that finding the passwords should not necessarily give your users
"unlimited access" to the database. "Unlimited access" permissions
should be limited to a master user who does not appear in the
workgroup files that you give to your users. Then, if a user cracks
the passwords, he can impersonate the other users, but he still does
*not* have "unlimited access" to the database (in terms of being able
to change its design, etc.).

HTH,
TC

 

[TC]

Er, my post does not define my full knowledge of Access security issues! It
simply answers the OPs question, namely, yes - there *are* products that
retrieve the usernames & passwords from workgroup files.

TC