M$ Access DB Protection

Hi there, I have a database that I'd like to password protect. I thought I had it sorted by just opening in exclusive mode and Tools > Security > Set Database Password.

However it was then brought to my attention that there are programs like the one I have attached then can find the password in the blink of an eye.

I've tried setting up different user accounts on the database but it doesn't seem to work, I'm using Access 2003 if it helps any.

Currently there isn't much sensitive information in the database but I'm slowly but surely converting the entire site to call on the database for pretty much everything. The site is here by the way.
I am almost finished on a blooging script that I will use for the News section and I will use an Admin's only guestbook style script for the Articles. I also want to automate the member sign up process and store passwords inside the database so that they can be no "imposters" in the guestbook so long as a user is registered.

Well I hope you enjoyed my spiel about what the database is for. Can you help me solve my little security problem?

OK,

I admit I have not had a chance to play with the 2003 version yet, but I would make the general comment that MS Office is not designed for security as such. I have always used the operating system or third party software (file protection)

I would be interested if someone has a solution using the more recent versions (2000 onwards)

Cheers

Office 2000 and lower file protection COULD be crack in 5 minutes but since OfficeXP, cracking under 5 minutes is not working anymore. The only way to crack an OfficeXP (and probably Office 2003) access file is by brute force. And brute force take time.

If you want more info, I suggest you check http://www.elcomsoft.com/ Those guy are the best in password recovery. Look like Office 2003 security protection is the same that Office XP.

Also you should be able it encrypt the datbase, for another layer of security. I maybe wrong but don't pasword recovery apps have to be run locally?

If so, strong security on access to the machine hosting the database would seem to be a good idea,

Jinxy

Jinxy,

I suspect that part of the problem is that M$ Access supports both thin and thick client deployment so the security tends to travel with the app? so it must have it embedded in it.

Access is not a strategic development tool anyways, you should use SQLDB? I would say that Access is really a "trusted environment" tool?

Quote:

---

Office 2000 and lower file protection COULD be crack in 5 minutes

---

I want to work for Simon, he allows you a beer break half way through :D

Cheers

Hmmmmmm..............I must try 2003..............

Quote:

---

Originally posted here by SDK
The only way to crack an OfficeXP (and probably Office 2003) access file is by brute force. And brute force take time.

---

Are you kidding me? The program I posted decrypts an Access password literally as soon as you click the button. The password is also very long, has upper and lowercase letters, numbers and non-alpha numeric characters in it.

I'll look into different types of databases then, do any of you know if Oracle is any good, or perhaps you can recommend a better one?

Lavalamp............

Shame on you sir!, you used a tool.............next thing you will be "diving in the penalty box"?

I would have thought that MS SQLDB would be adequate, but Oracle is a brilliant DB..............I don't know what will work best with your server and the apps you are using..............I guess that Oracle might be "overkill"?

Cheers

Incidentally, Access tends to be limited with more than a few users if it is not pure "look up".......it has its own sort of DoS mechanism. Also look at using the "developer toolkit" which allows much more secure distributions of Access.

Just my thoughts

I didn't use a tool, I didn't even know about that tool until a couple of days ago until a prat went into the guest book and posted the password to the database in the name, email and message fields.

You know anywhere that sells MS SQLDB in the UK, preferably somewhere with a physical presence. I assume that it's not just something that I can go into PC World and pick up off the shelf. (I'd also like to say that PC World suck and drastically over charge on everything except RAM sticks.)

Last time I try to crack a Office File (Excel XP file), I had to brute force it. Most the information I found about password cracking are from http://www.elcomsoft.com/ . Those guy got tool ($$) for password recovery. If you know a software can crack OfficeXP or Office 2003 file under 5 minutes, tell us, we'll tested it!

Hi Lavalamp,

Just contact Microsoft UK................yeah it is well supported by them and their minions..........they will put you in touch with someone local........

Quote:

---

(I'd also like to say that PC World suck and drastically over charge on everything except RAM sticks.)

---

"as well as RAM sticks............" buy them direct from Crucial in Scotland..............good price and special delivery post, free of charge....lifetime guarantee..................hell you could stand in a PC world shop for as long, waiting to be served :D

I still think Sun + Solaris +Oracle............ack!..........that reminds me.............I must go buy a lottery ticket :)

Please keep us informed

Hmm, I'm wondering if MySQL is any good. I'm thinking of actually splashing out on some paid hosting from http://www.b-one.net/ they seem to have a pretty decent cheap service going on. 90p /month and £6 /year for a .co.uk, I can afford that. :D

Hey Hey

Quote:

---

SDK wrote:
you know a software can crack OfficeXP or Office 2003 file under 5 minutes, tell us, we'll tested it!

---

Have you ever heard of the Passware Password Recovery Kit? It's absolutely ridiculous, I created an Office 2k3 Document just moments again for use in this thread. I protected the document against changes only using the password pass123$%antionline (since AO inspired me to test this). All I did was open Office Key (1 of 26 password recovery utilities in this $500USD Suite) and drag the file onto it. In a matter of a couple seconds, if not milliseconds, the application came back to me with this.

Quote:

---

Recovering password for the file:
C:\...\This is a test password protected document.doc

Detected MS Word 2000/97 document

File-Modify password: no password is set
Document password: [MALLQGHFEVFKDNB] (no brackets) <Copy>
File-Open password: no password is set

---

This confused me, because as you can see the passwords don't match. I opened the Office 2k3 document and attempted to edit it. I was prompted to stop protection, which required the password. I pasted in the password that Office Key had returned to me, and sure enough I was again able to edit the document.

I used to have software to record my desktop, if I can find the software. I will record a small video of me setting a password, saving the file and dragging and dropping it onto the Office Key app.

This software cracks zip files in under 10 seconds and instantaneously cracks FileMaker pro files. I have not yet tested it on any other file types. The 26 apps included in this kit are:

1. 1-2-3 Key
2. Acrobat Key
3. Act Key
4. Backup Key
5. EFS Key
6. FileMaker Key
7. Internet Explorer Key
8. Lotus Notes Key
9. Mail Key
10. Money Key
11. MYOB Key
12. Office Key
13. Organizer Key
14. Outlook Express Key
15. Paradox Key
16. Peachtree Accounting Key
17. Project Key
18. Quattro Pro Key
19. QuickBooks Key
20. Quicken Key
21. RAR Key
22. Schedule Key
23. Windows XP-2000-NT Key
24. WordPerfect Key
25. WordPro Key
26. Zip Key
[/quote]

And yes, you are reading number 5 correctly, this suite also cracks Encrypted File System keys. Number 23 - Windows XP-2000-NT Key provides this fuctionality.

Quote:

---

Windows XP/2000/NT Key resets Windows XP/2000/NT security settings if Administrator password, secure boot password or key disk is lost.

This application creates Windows Key driver disk. Reboot locked system using Windows XP/2000/NT setup disks or CD-ROM and load Windows Key driver. When Windows Key driver is loaded, it will show you the list of Windows installations that could be processed.

Features:

100% recovery rate
Windows 2003 Server is supported
Windows XP Home and Professional Editions are supported
Windows 2000 Professional, Server and Advanced Server are supported
Windows NT Workstation and Server 4.0 are supported
Resets Domain Administrator password for Active Directory Domain Controllers (Enterprise Edition only)
All secure boot options are supported
All Service Packs are supported

---

As I have said, I've yet to test many of these, however the FileMaker Key and Office Key software operates as fast as, if not faster than, the human eye.

Peace,
HT

I think I know why HTRegz, look like Excel 2003 use Office 97/2000 Password protection by default? What a freaking shame!! This is why you can crack this file without pain and why the software said:

Detected MS Word 2000/97 document

I'm curious about trying with RC4 encryption type. Don't think it can be crack that easily.

Hey Hey,

I was using Word, not Excel.. but that's just splitting hairs.

Anyways... ask and ye shall receive. I've created an Excel sheet with RC4, Microsoft RSA SChannel Cryptographic Provider. I selected 128bit key and used the password ?p4ssw0rd$

It has entered brute force mode.

Quote:

---

Recovering password for the file:
C:\...eguly\Desktop\New Microsoft Excel Worksheet.xls

Detected MS Excel 2002 document

Starting password recovery engine...

Starting Dictionary attack with mutations...
Dictionary file: dict.txt, 3 mutation(s), 0 mistype(s), length: [1 - 15]
Symbol set: 0123456789abcdefghijklmnopqrstuvwxyz

Testing password: vOLCANIC
Done: tested 541,808 passwords in 10sec
Attack speed (passwords per second): 54,045

Starting Xieve attack...
Xieve table: <built-in>, level: 1%, length: [4 - 9]
Symbol set: 0123456789abcdefghijklmnopqrstuvwxyz

Testing password: fiathak
(Tested 18,827,326 passwords in 05m 19sec)
Passwords checked per second: 900,177,793 effective, 58,959 real

---

It works decently, however the problem is that using it's current scheme it will never find the password I choose. I suppose for most applications, the average user won't think up a complex password, so the dictionary attack w/ mutations would have been successful and it did only take 10 seconds.

I'll leave this program running since I'm in no need of CPU cycles and I'll post the results to you when it finishes.

Peace,
HT