VBA Project security & "Back Door"

Posted on 2004-09-10
Medium Priority
Last Modified: 2008-02-01
   OK. Maybe this has been discussed a million times. Or maybe the concept is so basic that anyone who knows how to write a MACRO should know it already. But since it is unknown to me and I couldn't find it in the PAQ's, here goes.

    Is there a beter way to secure a VBA Project then with the standard "Project Properties -> Protection -> Lock Project for viewing"? It is not a requirement in my line of work (Hence the low points) but more something I am curious about.

    I had thought that the above method was probably secure enough because someone wanting to hack it would have to use a "brute fors" type of program and you could make it fairly secure by using a strong password. However I just came across a program called ******** ****** ** ******** ******** that uses a "back door" to either delete the password or set it to anything the user desires.

Any comments or thoughts?
Question by:will_scarlet7
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 58

Assisted Solution

by:Jim Dettman (Microsoft MVP/ EE MVE)
Jim Dettman (Microsoft MVP/ EE MVE) earned 400 total points
ID: 12027886
<<  Is there a beter way to secure a VBA Project then with the standard "Project Properties -> Protection -> Lock Project for viewing"? It is not a requirement in my line of work (Hence the low points) but more something I am curious about.>>

  You can distribute a MDB as in MDE format, which removes all the source code.  However that does cause other problems.  Outside of that, no.  Access and VBA are both easily broken.  As you mentioned, there are many utilities out on the net to crack them.  

LVL 15

Author Comment

ID: 12028488
ThanX for the reply Jim!
    I have gotten so used to the ease of using MDB files instead of MDE's (especially since Access looses report formating so easily).  I also do programming in Excel & Word, so was more curious in the "general" aspect of the VBA project security.
    Is there really a known "back door" to the VBA Project password? Or is that just what the company calls their brute force attack?

Your input is appreciated, and if no one else feels the need to enter the discussion by tomorrow I will award you full points. Like I said above it is basically a leisurely, for info question from my perspective, but I have rarely seen questions older than a day generate much new input in this TA due to the sheer volume of questions.

God bless!
LVL 36

Expert Comment

ID: 12029857

anyone with local access to the system can potentially crack anything..vba, access security...even the machine administrator password..(and therefore possibly sql server integrated security)...i've got a nice linux based utility that fits on a floppy here that resets a win2k admin pwd to anything...as the network admin, i only use the tool for good..and keep it locked in the safe (not that it's not available on the internet) but you can see where this could be a problem

..as with anything regarding security....it all depends on time and how much effort they want to expend.

make things as difficult as possible and that's about all you can do...

One trick you can use for many passwords is to use special extended characters eg: alt-numpad-123

Most if not all brute force cracks can not deal with these chars (at least last time i checked) and your passwords remain safe(r)

note that some programs can't deal with them either...so test it first...

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 15

Author Comment

ID: 12031093
ThanX Sid!
    I'm still fishing for one particular answer though (this is not to say your comment was not good and appreciated). Is this program really exploiting a "back door"? If so it does not seem like any clever passwords would be any better than jus using "me". I mean if the program can just delete or re-set the password without having to discover the old one, then...

Thank you for your input!

LVL 36

Accepted Solution

SidFishes earned 600 total points
ID: 12031398
Not sure of the specifics of the "feature" but as far as i can tell it's a true backdoor

"Professional Edition has an additional feature: VBA backdoor. With it, the password is not being recovered at all; however, you're able to open VBA project (to view/edit the code) after entering any password; of course, you should have the application (this document has been created with) installed."

I'm going to post a q on a security board i frequent and see if someone knows the exact mechanics of the "feature"

in the meantime let's sing!...

You say toMAYto I say toMAHto
You say poTAYto I say poTAHto
Microsoft says Feature I say Exploit

LVL 36

Expert Comment

ID: 12031405
All together now

...Let's call the whole thing off...

LVL 26

Assisted Solution

dannywareham earned 400 total points
ID: 12038902
I've found limited means of protecting my databases, but it basically means creating lots of security measures - its still not hack proof.

How I generally do it is:

1. Create a users table and use a function to return the computer login name (this can also be done with IP address)
2. Use VBA to check if the user exists - if not close the app.
3. Disable the bypasskey
4. Set a db password (easily broken)
5. Password protect all VBA
6. Distribute as MDE

As I say - still not perfect, as, if you crack the db password, you can import objects into a new db.

Unfortunately, as long as there are people wanting to break into anything (applications, code, property), there will always be this problem.

LVL 15

Author Comment

ID: 12041967
Hi Guys,
ThanX for joining in on the discussion! Your points were appreciated. I increased the total points, and gave 100 to both dannywareham & JDettman, and 150 to sid fishes for the info about the "back door".

God bless!

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes a method of delivering Word templates for use in merging Access data to Word documents, that requires no computer knowledge on the part of the recipient -- the templates are saved in table fields, and are extracted and install…
If you need a simple but flexible process for maintaining an audit trail of who created, edited, or deleted data from a table, or multiple tables, and you can do all of your work from within a form, this simple Audit Log will work for you.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question