Reputation: 1848
MS ACCESS Database Password - How secure?
I have a program written in Delphi 7, which uses a MS Access 2000 database as the backend.
I have password protected my MS ACCESS 2000 Database file (*.mdb) with a 16 character password consisting of a misture of Numeral, control, UpperCase, and LowerCase characters.
However, it looks like there are a number of programs on the market that claim that the password can be retrieved. What is the purpose of this database password if that is the case? Is there anyway to make it so it is not retrievable? Tighten the encryption so to speak?
thanks
Upvotes: 3
Views: 4650
Answers (7)
Reputation: 12704
What is the purpose of this database password if that is the case?
The purpose is to get people to upgrade to MS SQL Server and buy licenses for that as well. There are things MS will never fix.
On the other hand they have a free version of MS SQL Server which is not so crippled so you don't have to start paying through your nose unless your system will actually grow to need a full MS SQL Server.
However, if you develop systems like that (with no plan and not understanding limitations of the technologies you choose), you are most likely to lock yourself into proprietary features, for better or worse.
EDIT: Here is quote directly from MS
Note Although the model and techniques discussed in this article enhance security, the most secure way to help protect your Access data is to store your tables on a server, such as a computer running Windows SharePoint Services 3.0 or Microsoft Office SharePoint Server 2010.
Upvotes: 1
Reputation: 1848
I posted this question on Experts-Exchange as well. This is the kind of answer i was looking for (not critisism). Although this person eventually tells me to switch datbabases, he clearly explains why, without critisism:
DatabaseMX:
As you've discovered, there is essentially no security in an Access db password, prior to A2007. The are 1000's of tools (some free) that can immediately hack an Access password. A2007/10 is using an improved password paradigm ... it's security level is not clear yet.
"Is there anyway to make it so it is not retrievable" No. It's only slightly better than nothing, depending on your specific environment where the mdb will be used.
"What is the purpose of this database password if that is the case? " It was just a bad implementation. Period.
With A2003 and prior, the best you can do are a combination of the following: 1) db password 2) Add User Level Security 3) Create an MDE to protect code. But event an MDE can be hacked.
So, IF ... you really need better security, you will need to look at SQL Server or equivalent platform.
mx
Upvotes: -1
Reputation: 8043
MS Access 2010 uses better encryption and has some other features. SQL Server Compact edition gives you a lot more security but is still appropriate for a desktop app.
Otherwise, go with a server database: mysql, sql server, oracle. Most have free versions.
Upvotes: 4
Reputation: 25526
If security is a requirement then you should not be using a Jet database or any other file-sharing database architecture. It's as simple as that.
Upvotes: 2
Reputation: 7489
Is there anyway to make it so it is not retrievable? Tighten the encryption so to speak?
It depends; you can either change your database and look for a more secure one (e.g. MS SQL Server Compact Edition), or if you want to stay on MS Access and security of the data is important to you, go for encrypting important fields using a good encryption algorithm (e.g. AES).
If you are going to encrypt your fields, you can do it transparently in Delphi; each DB field in Delphi is derived from TField class, and has two events called OnGetText and OnSetText. OnGetText is fired every time you try to read the field's data, and OnSetText is fired every time you try to write to the field. You can encrypt a field data whenever OnSetText is fired, that way, the encrypted data will be saved in the database. On the other hand, you can decrypt a field data whenever OnGetText is fired, that way, user will always see and work with the decrypted data. The whole process would be transparent to the users.
Of course you should take note that encrypting/ decrypting fields every time they are being read or write has performance drawback depending on number of fields to be encrypted, their size, frequency of reading or writing them, and the encryption algorithm which is used. It's better you just encrypt the important fields.
Another option could be to encrypt the whole MS Access database file, and decrypt it whenever your application is connecting to it, but that way, the file is secure as long as your application is not running; once your application is running and the file is decrypted; the file is exposed to others.
Upvotes: 3
Reputation: 391818
What is the purpose of this database password if that is the case?
It makes people who think Access is a real database feel good about it.
Is there anyway to make it so it is not retrievable?
Stop using Access.
Tighten the encryption so to speak?
Not in Access. However, if you stop using Access and use a real database, you'll find that you can also have real security.
Upvotes: 2
Related Questions
- creating a password protected Access database
- What are the limitations of a password used to protected an Access 2010 database?
- Is encrypting "Microsoft Access database " .accdb file could get it hacked
- How secure is encryption in Access 2007?
- Accessing a password protected MS access database in C# issue
- Ms Access password Storage
- How easy is to break into MS Access file? How to secure it?
- Opening a password encrypted access database using DAO VB.NET
- Encrypt/Decrypt a MS Access 2000 (*.mdb) Database File (Extra Security)
- VB.Net Secure Passwords to Database?