MS access Encrypt Users Passwords Stored in User Table (SQL)
Question
My database is Access front end which is linked to SQL tables, is there a way of Encrypting/Hashing the passwords that are stored in my user table?
I have seen something about Hashbytes and Salt? but not sure how to implement it?
thank you in advance for your help
2 answers
solution1
1 2014-11-13 19:39:14
There is no native way to encrypt/decrypt in Access, but it's not hard to create your own. You can use the old "Zebras" method, by assigning different letters to the alphabet (you could also use some numbers or other ASCII characters instead):
Public Function Encrypt(strvalue As String) As String
Const LowerAlpha As String = "abcdefghijklmnopqrstuvwxyz"
Const LowerSub As String = "zebrascdfghijklmnopqtuvwxy" 'zebras
Const UpperAlpha As String = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
Const UpperSub As String = "ZEBRASCDFGHIJKLMNOPQTUVWXY" 'ZEBRAS
Dim lngi As Long
Dim lngE As Long
Dim strEncrypt As String
Dim strLetter As String
If strvalue & "" = "" Then Exit Function
For lngi = 1 To Len(strvalue)
strLetter = Mid(strvalue, lngi, 1)
Select Case Asc(strLetter)
Case 65 To 90 'Uppercase
'Find position in alpha string
For lngE = 1 To Len(UpperAlpha)
If Mid(UpperAlpha, lngE, 1) = strLetter Then GoTo USub
Next
USub:
strEncrypt = strEncrypt & Mid(UpperSub, lngE, 1)
Case 97 To 122 'Lowercase
'Find position in alpha string
For lngE = 1 To Len(LowerAlpha)
If Mid(LowerAlpha, lngE, 1) = strLetter Then GoTo LSub
Next
LSub:
strEncrypt = strEncrypt & Mid(LowerSub, lngE, 1)
Case Else 'Do not substitute
strEncrypt = strEncrypt & strLetter
End Select
Next
'Now pass this string through ROT13 for another tier of security
For lngi = 1 To Len(strEncrypt)
Encrypt = Encrypt & Chr(Asc(Mid(strEncrypt, lngi, 1)) + 13)
Next
End Function
Then work backwards to decrypt:
Public Function Decrypt(strvalue As String) As String
Const LowerAlpha As String = "abcdefghijklmnopqrstuvwxyz"
Const LowerSub As String = "zebrascdfghijklmnopqtuvwxy" 'zebras
Const UpperAlpha As String = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
Const UpperSub As String = "ZEBRASCDFGHIJKLMNOPQTUVWXY" 'ZEBRAS
Dim lngi As Long
Dim lngE As Long
Dim strDecrypt As String
Dim strLetter As String
If strvalue & "" = "" Then Exit Function
'Reverse the ROT13 cipher
For lngi = 1 To Len(strvalue)
strDecrypt = strDecrypt & Chr(Asc(Mid(strvalue, lngi, 1)) - 13)
Next
'Now reverse the encryption
For lngi = 1 To Len(strDecrypt)
strLetter = Mid(strDecrypt, lngi, 1)
Select Case Asc(strLetter)
Case 65 To 90 'Uppercase
'Find position in sub string
For lngE = 1 To Len(UpperSub)
If Mid(UpperSub, lngE, 1) = strLetter Then GoTo USub
Next
USub:
Decrypt = Decrypt & Mid(UpperAlpha, lngE, 1)
Case 97 To 122 'Lowercase
'Find position in sub string
For lngE = 1 To Len(LowerSub)
If Mid(LowerSub, lngE, 1) = strLetter Then GoTo LSub
Next
LSub:
Decrypt = Decrypt & Mid(LowerAlpha, lngE, 1)
Case Else 'Do not substitute
Decrypt = Decrypt & strLetter
End Select
Next
End Function
solution2
-1 2014-11-13 20:26:10
Unfortunately, if you modify or encrypt the connection in the linked table then you will find that you cannot connect to SQL serer. Any suggesting here about having some “encryption” routine will NOT WORK and is NOT relevant since if you modify or mess with the connection strings in your linked tables, then the linked tables will fail. Thus the ONLY possible way this could work is if you take the encrypted connection, de-crept and re-link to SQL server with the plan text connect strings with the user ID and password in plain sight. At this point any user placing their cursor over a linked table will see the user id and password in plain sight (so you gain little if anything by this suggested approach). The two solutions are:
1 – use windows authentication on SQL server. That means the plain text connections in the Access linked tables do NOT require the user id and password.
2 – use cached logons. This is the RECOMMENDED solution.
Thus you DO NOT include the uid and password in the connection string. Thus there is no need to worry about users looking at the connection string.
What you thus do on startup is execute a logon. The VERY INSTANT you execute a SQL logon, then all linked tables WITHOUT userid/password WILL NOW WORK!
The logon code I use is thus this:
Function TestLogin(strcon As String) As Boolean
On Error GoTo TestError
Dim dbs As DAO.Database
Dim qdf As DAO.QueryDef
Set dbs = CurrentDb()
Set qdf = dbs.CreateQueryDef("")
qdf.Connect = strcon
qdf.ReturnsRecords = False
'Any VALID SQL statement that runs on server will work below.
' this does assume user has enough rights to query built in
' system tables
qdf.SQL = "SELECT 1 as test"
qdf.Execute
TestLogin = True
Exit Function
TestError:
TestLogin = False
Exit Function
End Function
How to achieve this is outlined in detail here:
Power Tip: Improve the security of database connections
It makes LITTLE sense to encrypt the connection string, since then on startup you have to re-link with plain connection strings NOW in sight. And worse is on shutdown you have to re-link the tables gain, else they all be in that linked state with full uid/passwords in plain sight.
Not only is such a process time consuming, but prone to MUCH failure and if the application is shutdown incorrect then the “proposed” schemes here of using custom linking will not only fail, but are impractical solutions.
So using cached logons and passwords results in NOT having to include password and logon in those strings. You can prompt a user for their uid/password, execute the logon and NOW all linked tables like magic will use that logon/pass and do NOT have to be linked and thus you don't have to store the userid/logon in the application or in the linked table(s) connection strings.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.