Where/How is an ODBC password stored when 'saved' in Access?

I would like to point out, that the answer to the second part of the question has little to do with the first part.

Even if the password was stored in a super-strong encrypted fashion (it's not), this would still not be secure, in several aspects.

  1. The user has complete, unfettered access to the database. I.e. he can do anything he wants (per the permissions of the shared user... The user's privileges are restricted on the database, right?). E.g. accessing any unauthorized data, deleting other users' data, inserting garbage, etc.
  2. This sounds like there is a shared user account, that all the users have plugged into their ODBC connection... Which means, the database server has no way of limiting users' access, segregating their data, tracking who done what, etc.
  3. In any event, the ODBC password would need to be decrypted in memory, allowing the user to grab it, and then impersonate the application and again, do whatever he wants.

You'd be much better off redesigning the application, with a middle-tier and all...
I always find it odd discussing security and MS Access in the same conversation...

If you absolutely cannot change the architecture, consider using Integrated Windows Authentication, and tying user accounts (or group) to a db role for management. That way, at least each user will have his own account on the server, you can restrict access (according to the principle of least privilege), no shared accounts, and you can track each users actions on the database.


The ODBC password details can be addressed by firing up odbcad32.exe on your Windows box and interacting with the dialog box. I think the details you are looking for are found in the last few paragraphs of ACC2000: No Password Prompt Appears When Using Microsoft Access .MDB with ODBC


This was the first result in google when looking at where ODBC passwords are saved in general.

It turns out that they are stored in plaintext in the Windows registry. Open up regedit and have a look under:

HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI

Tags:

Passwords

Databases

Appsec

Recent Posts