X   Site Message
(Message will auto close in 2 seconds)

Welcome to UtterAccess! Please ( Login   or   Register )

Custom Search
2 Pages V < 1 2  (Go to first unread post)
   Reply to this topicStart new topic
> Encrytion Standard Used By Default Access 2016 Accdb File, Access 2016    
post Dec 7 2018, 01:04 PM

UtterAccess VIP
Posts: 2,109
Joined: 4-June 18
From: Somerset, UK

Hi Allyson

I was very careful in my choice of words - perhaps too careful as I didn't mean what you thought.

If you read post 14 including the link provided, you should get a better idea of how Access stores & retrieves the password information.
If you also read post 17 & the linked article on my website you will get further information about the information that can be easily retrieved from unencrypted Access files.

However don't confuse two different things.
If you encrypt an ACCDB/ACCDE file with a password the entire file is encrypted and is almost impossible to read with any external software.
However if you link an Access FE to a BE file (encrypted or not), the connection strings are stored in the hidden system table MSysObjects
For info, if you know how to do it, you can also look at that table from another Access database

No matter how long your BE passwords ( I think 20 characters is the max allowed), these will appear in full in the connection string.
So these will always be visible if you look at the Connect field in MSysObjects.
As that table cannot be edited (at least not directly), you cannot hide or mask passwords in those connection strings.

So if you need to prevent users knowing the BE password(s), you need to lock down your FE file to prevent users being able to view system tables
There are many security measures you can do to make it very difficult for users to 'hack' your applications.
I mentioned some of those in my last reply.
If you are interested, there are a number of security challenges on my website.
Even if you don't try & solve them, you can look at what I've done to limit user access.

There is one other solution that can work in certain limited cases.
Do not have BE tables that are permanently linked to your FE.
Instead use code containing SQL statements to set form & report record sources in their Load or Open events
Do NOT save it in the form/report property sheet. Destroy that recordsource when the object is closed
Use an ACCDE file so nobody can read the code used
The result is a fully functional split database with no linked tables so no connection strings visible in MSysObjects

To help explain this idea, see the attached simple demo. The zip file contains an ACCDB FE, encrypted BE (password=isladogs) and a Word doc explaining how to use the demo

However, do remember that Access is not intended for mission critical data security.
If there are serious data privacy issues, instead use e.g. SQL Server to store your BE data

Attached File(s)
Attached File  LinkedNoTables.zip ( 476.62K )Number of downloads: 9

Colin (Mendip Data Systems)
Website, email
Go to the top of the page
post Feb 1 2019, 10:59 AM

Posts: 516
Joined: 29-April 08

I was wrong!

If the password is long - I used 20 characters - the max - you cannot get it from msysobjects - I worked it through here https://www.UtterAccess.com/forum/index.php...2052426&hl= (there is a DB example attached) - see my second post.

So this is pretty secure????? Combined with the below "cipherAlgorithm="AES" sounds good? And hashAlgorithm="SHA512"? And cipherChaining="ChainingModeCBC" ?
" enhanced security in Access 2016.

So is there any way of getting to this long password in the DBTestEncENCRYPTENCRYPT123420.accbd (password is ENCRYPTENCRYPT123420 ) - see link above.


UK North Yorkshire / North East
Go to the top of the page
post Feb 1 2019, 11:52 AM

UtterAccess VIP
Posts: 2,109
Joined: 4-June 18
From: Somerset, UK

I've responded in your other thread: https://www.UtterAccess.com/forum/index.php...=0#entry2709462

There is a big flaw which means the linked table is unuseable with a 20 character password
This post has been edited by isladogs: Feb 1 2019, 11:53 AM

Colin (Mendip Data Systems)
Website, email
Go to the top of the page
2 Pages V < 1 2

Custom Search

RSSSearch   Top   Lo-Fi    28th January 2020 - 07:40 AM