Results 1 to 14 of 14
  1. #1
    Join Date
    Feb 2009
    Posts
    6

    Unanswered: Can I Mask Passwords Stored in an Access Database?

    I made a simple website that involves a couple of people logging in. We all have access to viewing the database. Is there a way that I can mask the passwords so that they aren't displayed in clear text?

    Thanks in advance!

  2. #2
    Join Date
    May 2005
    Posts
    1,191
    In the table design view, when you select the field in question there is a property called Input Mask, push the little button beside it and you get the wizard, just select Password. Though a word of warning, I remember a thread about this not too long ago.
    Attached Thumbnails Attached Thumbnails Input Mask.bmp  
    Me.Geek = True

  3. #3
    Join Date
    Nov 2007
    Location
    Adelaide, South Australia
    Posts
    4,049
    Quote Originally Posted by kennywhite
    I made a simple website...
    Are you trying to mask them in your website, or your Access database?
    Owner and Manager of
    CypherBYTE, Microsoft Access Development Specialists.
    Microsoft Access MCP.
    And all around nice guy!


    "Heck it's something understood by accountants ... so it can't be 'that' difficult..." -- Healdem
    "...teach a man to code and he'll be frustrated for life! " -- georgev

  4. #4
    Join Date
    Feb 2009
    Posts
    6
    I am just trying to mask the passwords in Access.


    nckdryr, your solution sounded simple enough, but I didn't see that property. How do I get to it? I tried highlighting and right clicking the column and individual rows as well, but no luck.

    Thanks!

  5. #5
    Join Date
    Feb 2009
    Posts
    6
    Aha! I have to do that in design view! Sweet, so simple!


    Thanks!

  6. #6
    Join Date
    Nov 2004
    Location
    out on a limb
    Posts
    13,692
    Provided Answers: 59
    ... and so simple to view again....
    all you have doen is make the passwords look masked.. they are still stroed in plain text.

    if you want to hide the passwords then use an encryption algolrhythm that will then store a hash code of the password. that at least has the merits of beingg semi secure.

    I still don't really understand why people write their own security & password routines when you can use the windows netwrok logon as your authentication method.
    I'd rather be riding on the Tiger 800 or the Norton

  7. #7
    Join Date
    May 2005
    Posts
    1,191
    Agree with Healdem about fosUserName vs stored passwords. Though for people who regularly code in Access doing this kind of thing is very easy, but for some people who simply use the database without ever even seeing a module, it may not be so easy.
    Me.Geek = True

  8. #8
    Join Date
    Feb 2009
    Posts
    6
    Right, I'd much rather bypass the logins and authenticate with the domain accounts, but I was out voted on that.

    I would love to use an encryption algorhythm, but I've asumed that would mean having to change lots of code that is already in place as well as writing much more. If I'm wrong about having to change more than a couple of lines of existing code, let me know and I'll be all over that.

    Just hiding it in the table view is good enough for right now, but if there was a better, easy to implemeant way I'd be all for it.

  9. #9
    Join Date
    Nov 2007
    Location
    Adelaide, South Australia
    Posts
    4,049
    Encrypting the password against the username and userID makes it so much more secure, but you do have to write something to encrypt the password. It's not a LOT of work, but it's more than a couple of lines.
    Owner and Manager of
    CypherBYTE, Microsoft Access Development Specialists.
    Microsoft Access MCP.
    And all around nice guy!


    "Heck it's something understood by accountants ... so it can't be 'that' difficult..." -- Healdem
    "...teach a man to code and he'll be frustrated for life! " -- georgev

  10. #10
    Join Date
    Nov 2004
    Location
    out on a limb
    Posts
    13,692
    Provided Answers: 59
    you can get an encryption library from Microsoft, forget what its called, its relatively trivial to install it..but it does mean each person using the app must have it installed (that tends to annoy sysadmins/network trolls as they have to get of the backsides and do something). it may even be a defualt install on newer windows installations

    installing a password in the manner that you are doing is in my books a very dangerous game.
    its implying that you are taking security seriously, yet by merely changing a format you are not. I'd argue that what you are doing is worse than relying on Access Workgroup security. secure is what neither approaches is. your approach is dangerous because it has a veneer of security (it looks secure because the password is masked, not encrypted. anybody with half an ounce of smarts (and that includes many many users can get access to the unencrypted password). if this app contains secure information then do not go down this route, if it doesn't contains secure information then why use a password in the first place.

    applying security is not some afterthought, although it nearly always is.

    if you were outvoted by others then you need to either enlighten them of their stupidity or naiivity or get out of there.

    read the Access security FAQ
    I'd rather be riding on the Tiger 800 or the Norton

  11. #11
    Join Date
    Dec 2002
    Location
    Préverenges, Switzerland
    Posts
    3,740
    for whatever it is worth, attached is a simple demo of hashing passwords using the M$ capicom library.

    the module holds a hash function (three lines of working code plus housekeeping) that gives you the hash with one line of code.

    izy


    LATER:
    sorry - had to change the .ZIP
    absolutely zero changes to the code
    Attached Files Attached Files
    Last edited by izyrider; 02-21-09 at 15:22.
    currently using SS 2008R2

  12. #12
    Join Date
    Feb 2009
    Posts
    6
    Quote Originally Posted by izyrider
    for whatever it is worth, attached is a simple demo of hashing passwords using the M$ capicom library.

    the module holds a hash function (three lines of working code plus housekeeping) that gives you the hash with one line of code.

    izy
    That looks fairly simple, but I'm an ubber noob when it comes to Access, I'm not exactly sure that I get how to install and use this. Could you possibly give me any pointers or documentation?

    Thanks!

  13. #13
    Join Date
    Jun 2004
    Location
    Arizona, USA
    Posts
    1,848
    is the website using asp?

    if so, you could just about use that hash function 'as is.'

    In any event, you would add code to the website, so that any time the users enter their password to log in, the hash function would get called, to calculate the hash of the password.

    Then, compare the user's hashed password against the stored hashed password for the user.

    How does the password get into the database in the first place? Is there a change password routine via the website? Or, do you have the users enter the password directly, via an access page?

    If it's the first, then, you'll need to review the code, and wherever the user enters a password, you'll first need to get the hash of it. That's about it. If it's the second option, you'll need to run an update query to replace the clear password with the hashed password.

    Note: You cannot recover the original password from the hashed password. A hash operation is a one-way transformation.
    Lou
    使大吃一惊
    "Lisa, in this house, we obey the laws of thermodynamics!" - Homer Simpson
    "I have my standards. They may be low, but I have them!" - Bette Middler
    "It's a book about a Spanish guy named Manual. You should read it." - Dilbert


  14. #14
    Join Date
    Dec 2002
    Location
    Préverenges, Switzerland
    Posts
    3,740
    "install" is an exaggeration.
    import the module izycapicom into your application.

    you currently have some code that compares a saved plaintext password with (masked) user input.
    replace your code that looks like:
    if <userInput> = <savedPassword> then
    with:
    if izyhash(<userInput>) = <savedHashedPassword>

    you also have some code somewhere that adds a new user-password to a table. edit that code to store izyhash(<userInput>) instead of <userInput>

    if you have defined only all/none access rights you should be reasonably ok like that.
    if you have different levels of access (e.g. user/superuser) then you are exposed to userX copying his hashedPassword to superUserY's saved password ...and thus obtaining superuser priviledges. the demo uses izyhash(<userInput> & <userName>) as the first step in defending against this simple exploit.

    you have been warned in the earlier posts about home-made security (in truth, any security). hashing the password is a bit like a car-alarm: it is better than nothing; it encourages honest folk to remain honest; but if the unGodly really want to deploy the resources necessary to invade your system - they will succeed.

    good luck with it.

    izy

    BAAAAAAH NO!
    after importing/copy-pasting/retyping the module, you also need to set the reference to capicom.dll :
    Alt-F11 (code window) menu: tools/references, scroll on down to CAPICOM, tick it, done.
    Last edited by izyrider; 02-23-09 at 16:14.
    currently using SS 2008R2

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •