mdb password security

[doru00]

Hi!

I would like to know how secure is my info kept in a
password-protected .mdb file. I heard there are all kind of
applications out there that can obtain this password. If these are
based on brute-force only, what should be a good password lenght?
If password-protection isn't actually safe, what could be a workaround
for this (i.e. encrypting the data in the database, but SQL querrying
becomes unusable).

Any ideas/thoughts would be welcome. Thanks,
Doru

 

[Arvin Meyer [MVP]]

Access passwords are not long enough (14 characters) to be crack-free.
Security is a relative term. There are several applications out there that
can crack an Access password. They require a knowledgeable user, so your
average user can't break in. That said, any application can be cracked by a
skilled enough user. For data which must be kept secure, I use SQL-Server.
--
Arvin Meyer, MCP, MVP
Microsoft Access
Free Access downloads
http://www.datastrat.com
http://www.mvps.org/access

 

[Jerry Whittle]

Access security is like a padlock. It will keep honest people honest. It also
will keep dishonest people of limited means out of it. However someone with a
lot of time, skill, and/or resources (a.k.a money) might be able to break
into the database.

How sensitive or valuable is your data? What are the risks? I find that most
people vastly overstate both.

I've worked on a database that needed to be HIPPA compliant and we just
password protected it. Plus it was on a secured network where users had to
log in and screensavers were set to lock the computer with 2 minutes of
non-use.

 

[John Vinson]

Hi!

I would like to know how secure is my info kept in a
password-protected .mdb file. I heard there are all kind of
applications out there that can obtain this password. If these are
based on brute-force only, what should be a good password lenght?
If password-protection isn't actually safe, what could be a workaround
for this (i.e. encrypting the data in the database, but SQL querrying
becomes unusable).

Any ideas/thoughts would be welcome. Thanks,
Doru

A database password is about as secure as a $9.95 bicycle lock; there
are utilities available which can extract the password from the
database.

Access Workgroup Security is much better, albeit harder to implement.
Get the Security Whitepaper:

http://support.microsoft.com/kb/207793/en-us

It nominally applies to Access 2.0 through 2000 but nothing
significant has changed in 2002/3.

Read this document... CAREFULLY.
Sleep on it.
Read it again... even more carefully.
Follow its instructions, not omitting any steps.

If you assign good passwords this will keep out all but seriously
determined hackers. As noted elsethread, *no* desktop system is really
high security; you'll need to go to SQL/Server, and even its security
can be breached by determined and well-funded professionals.

John W. Vinson[MVP]

 

[jwm]

If you're referring to logging on to the database Mr. Vinson's suggestion is
good. If you're referring to securing the data on the computer look at:

http://www.jetico.com/

and their product BestCrypt. We use a variant of Mr. Vinson's approach and
store all our sensitive data within BestCrypt containers.

If your data is very sensitive, one of the excellent aspects of the
BestCrypt approach is that it provides a utility that can be used to
effectively wipe files, slack, free space, and the swap file.

It supports a variety of algorithms and up to 256 bit keys...so it's
robustly secure.