dcsimg
Results 1 to 9 of 9

Thread: Database Security

  1. #1

    Thread Starter
    Hyperactive Member
    Join Date
    Oct 2005
    Posts
    341

    Database Security

    Hey peoples. I've got a VB6 app and I want it to open a database. I've got the database locked with a password. I have a bunch of users each with his own table inside the database. I have a password for each user stored in the database.

    At the moment the program has a hard coded password it uses to open the DB then it asks the users for a PW and away we go.

    But that's not very secure because anybody could read through my EXE and find the password. What's the best practice? I'm thinking I should store a hash of the user passwords inside the database and use that to authenticate the users but here's the question... how do I keep the DB password secure so the EXE can open the DB???

    Any suggestions appreciated.

  2. #2
    Member gilman's Avatar
    Join Date
    Jan 2017
    Location
    Bilbao
    Posts
    59

    Re: Database Security

    Put the DB password encrypted

  3. #3

    Thread Starter
    Hyperactive Member
    Join Date
    Oct 2005
    Posts
    341

    Re: Database Security

    Quote Originally Posted by gilman View Post
    Put the DB password encrypted
    Of course. But how would the program decrypt the PW? Presumably with a decryption key. And where would you store that key (which is just a password). And how do you keep THAT key safe?

    I can do an MD5 1 way hash and I can encrypt/decrypt with AES routines but AES needs a seed and I don't know how to keep the seed secret.

  4. #4
    PowerPoster
    Join Date
    Feb 2006
    Posts
    20,519

    Re: Database Security

    This is one of the things we have the Data Protection API (DPAPI) for.

    Name:  sshot1.png
Views: 87
Size:  3.0 KB

    First run


    Name:  sshot2.png
Views: 87
Size:  1.6 KB

    Subsequent runs
    Attached Files Attached Files

  5. #5

    Thread Starter
    Hyperactive Member
    Join Date
    Oct 2005
    Posts
    341

    Re: Database Security

    Sure. I know how to encrypt data and decrypt data and hash a password. But none of that helps. The PROGRAM needs to store a password so it can open its database. Where can a program store a database password in a secure way? You can't hard code it. You can't store it in a plain text file. If you store it in an encrypted file you are in the same boat - where do you store the password to decrypt the password???

  6. #6
    PowerPoster
    Join Date
    Feb 2006
    Posts
    20,519

    Re: Database Security

    You don't need a password to decrypt the data BLOB using the DPAPI. All you need is the entropy BLOB if you used one.

    The key is managed by Windows and tied to either the machine or to the machine and user.

  7. #7
    PowerPoster
    Join Date
    Feb 2006
    Posts
    20,519

    Re: Database Security

    The entropy data is for when you want your program to be secure against other programs on the machine. I suppose if you think of it as a subpassword then yeah, you are back to square one. At that point it is just a standard way of doing what you already considered.

  8. #8
    Member gilman's Avatar
    Join Date
    Jan 2017
    Location
    Bilbao
    Posts
    59

    Re: Database Security

    I think that the problem is that, with a code like this:
    Code:
    Option Explicit
    
    Private Const Password = "MiPassword"
    
    Private Sub Form_Load()
        MsgBox "The password is " & Password
    End Sub
    If you edit the compiled exe with a unicode editor you can see, your string constants:
    Name:  Version1.jpg
Views: 63
Size:  99.1 KB
    If it is the problem, you can try hidding your password, for example you can hold it on an array:
    Code:
    Option Explicit
    
    Private Password(9) As String
    
    Private Sub Form_Load()
        Password(8) = "r"
        Password(9) = "d"
        Password(1) = "i"
        Password(0) = "M"
        Password(4) = "s"
        Password(3) = "a"
        Password(2) = "P"
        Password(6) = "w"
        Password(5) = "s"
        Password(7) = "o"
        
        MsgBox "The password is " & Join(Password, "")
    End Sub
    Now if you compile this code, editing with a unicode editor it is not so easy to find the password:
    Name:  Version2.jpg
Views: 62
Size:  94.1 KB
    It can be combined with other methods, and If this is not enough, I think, nothing will be

  9. #9
    PowerPoster techgnome's Avatar
    Join Date
    May 2002
    Posts
    32,446

    Re: Database Security

    Th real question is: How secure does it really need to be? What kind of database is it anyways? Based on the wording, I assumed Access, but it's never explicitly stated.

    -tg
    * I don't respond to private (PM) requests for help. It's not conducive to the general learning of others.*
    * I also don't respond to friend requests. Save a few bits and don't bother. I'll just end up rejecting anyways.*
    * How to get EFFECTIVE help: The Hitchhiker's Guide to Getting Help at VBF - Removing eels from your hovercraft *
    * How to Use Parameters * Create Disconnected ADO Recordset Clones * Set your VB6 ActiveX Compatibility * Get rid of those pesky VB Line Numbers * I swear I saved my data, where'd it run off to??? *

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Featured


Click Here to Expand Forum to Full Width