How to Compare Microsoft Access Password With User-Supplied Password? - security

Curious as to how to compare a text box string to the password the user used to authenticate themselves when they started the Microsoft Access database.
Microsoft Access version is 2003. Users authenticate themselves using Microsoft Access Jet security.
UPDATE: Per CesarGon (thank you), this is really a question of comparing hashed values; how might I replicate the hashing Microsoft Access does and compare the hashes?

In your change password form, you can execute an ado sql command:
ALTER USER user PASSWORD newpassword oldpassword
Just make sure the text entered for both passwords are not the same.
http://msdn.microsoft.com/en-us/library/bb177884.aspx

I don't think you can do that. The passwords that users use for Jet security are hashed and stored in the System.mdw database; the passwords themselves are not stored, but only a hash computed from the password. There is no (practical) way to recover the password from that hash.
Edit. You may use the Jet API to have Jet perform the validation for you. This is some sample code:
'set security database.
DBEngine.SystemDB = "C:\Temp\System.mdw"
'create a workspace.
Set wksp = DBEngine.CreateWorkspace("New", "John", "john's-password")
If the workspace is created, then the provided password was correct. If the password was incorrect, the workspace won't be created and an error will be raised.

Related

Is it possible to set an existing couchdb user as admin?

I know you can create new admin users via PUT $HOST/_config/admins/username -d '"password"'.
However, what if I have an existing user from the _users database and I want to add it to the
admin party?
The main problem here is that I don't know that user's password.
Thanks in advance,
Andres
Since the documents in the _users database contain password hash fields (derived_key, password_scheme, salt, password_sha, iterations) the hashes can be reused to create an admin using the raw=true parameter.
The hashed admin password format for PBKDF2 is as seen in the source code:
-pbkdf2-derivedkey,salt,iterations
For the SHA1 it is not quite clear which one is the hash and which one is the salt. Just try.
Note that the admin hashes are not stored in the _users database for a reason and reusing a password that was once exposed in this manner for an admin might be a bad idea security-wise.

What hash algorithm is being used by #Password formula?

Does anyone know what hash algorithm is being used by #Password formula? My client keeps user accounts in standalone LDAP server. They need to sync passwords from LDAP to Domino internet password in person documents. We are trying to find a way how to accomplish this having only hashed version of password in LDAP. If Domino #Password would use some known hash algorythm like MD5, SHA etc. we can store password in LDAP this way and simply replace it in person documents.
Any idea here?
The following link is the public details on the Encryption methods in Domino.
http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin.doc/DOC/H_NOTES_AND_DOMINO_ENCRYPTION_2250_OVER.html
Depending on how you have your server set up, using #Password may not work. The administrator can set "Use more secure Internet passwords" option.
This generates a personalised salt for each user in the $SecurePassword field of the person document (the field is protected as well). To correctly hash the password in this instance you need to use #Hashpassword. If the administrator knows what they are doing then the related password fields will be locked down by the xACL to prevent external access (for security reasons).
It is a little unclear what you are trying to achieve though. You can use Directory Assistance in Domino to authenticate against a third party LDAP.

Why do use webApps userID + password instead of a password only?

Just out of curiosity, I wonder why web apps typically user a userID and a password.
I don't see reasons, why a sufficiently long password doesn't fit too. For example, a password generated by a server-application.
Are there reasons an app ultimately has to use a userID too?
As long as password are unique and long, it perfectly allows to identify a user.
For one thing, password resets would be quite complicated without user IDs.
But the real reason would be that it's not possible to use salting to protect passwords if you don't have an user ID, which means that you would effectively not really be protecting your passwords.
Here's why. Salting requires you to know the salt that was used to generate the password hash. The process is as follows:
Locate salt using the User ID in your DB
Salt & Hash the password that was provided
Check whether this matches the password hash you have in the DB.
If you don't have an user ID, you'd need to check your password against every user in your database.
This is equivalent in complexity to checking one password is against your entire database, which is something you purposefully want to make prohibitively expensive (in time or money) by design.
One of the most important reasons why web applications don't use passwords only is that two users could have the same password.
When the password is the only factor to identify a user, user A could log in with his password and would have access to user B's account and not his own account since they use both the same password and the system needs to pick one user to log in.

Adding existing users from a table to a membership database

We have an asp.net web application which maintains a table with user information, passwords and roles. I am trying to import this information to a Membership database and ultimately use them for Form Based Authentication in a Sharepoint 2013 web application. I also noticed that the Membership database which I created does not store passwords. At this point I am a bit confused as to how to proceed with creating a FBA for my sharepoint site using the same member credentials and roles from my existing table.
It does actually store passwords. You probably have it configured for ‘hashed’ passwords – so you can’t actually see the passwords in the table – only a 1 way hash of the passwords. If you set the passwordFormat to Clear, the passwords will be in plain text within the db.
That being said, for security I do suggest you use Hashed. Do a search on google on how to hash your existing passwords so they can be put in the db in the correct format. But if you want to get it up and running quickly, use Clear and then Hash them in the future once you’ve got everything working.
And just a note - the password field is on the aspnet_Membership table.

vb access database password

how can one create a password on a visual basic access database when you have a vb datagrid
First, create a username and password for your MSAccess database (tools> security> set database password)
Next, make the connectionstring with the resulting password.
Then go about your biz, connecting as usual.
In your Microsoft Access database. Go to
tools>security>set database password
Next make the connectionstring with the password you just entered.
It will connect if you did it correcly.
If you want to do it programmatically, set a password column inside your table. Then, if the username and password match, the user should be entering the system. Otherwise, display an error message. Just don't forget to call the table from your datagridview to access interface.

Resources