VBA Project security & "Back Door"

Posted on 2004-09-10
Last Modified: 2008-02-01
   OK. Maybe this has been discussed a million times. Or maybe the concept is so basic that anyone who knows how to write a MACRO should know it already. But since it is unknown to me and I couldn't find it in the PAQ's, here goes.

    Is there a beter way to secure a VBA Project then with the standard "Project Properties -> Protection -> Lock Project for viewing"? It is not a requirement in my line of work (Hence the low points) but more something I am curious about.

    I had thought that the above method was probably secure enough because someone wanting to hack it would have to use a "brute fors" type of program and you could make it fairly secure by using a strong password. However I just came across a program called ******** ****** ** ******** ******** that uses a "back door" to either delete the password or set it to anything the user desires.

Any comments or thoughts?
Question by:will_scarlet7
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 58

Assisted Solution

by:Jim Dettman (Microsoft MVP/ EE MVE)
Jim Dettman (Microsoft MVP/ EE MVE) earned 100 total points
ID: 12027886
<<  Is there a beter way to secure a VBA Project then with the standard "Project Properties -> Protection -> Lock Project for viewing"? It is not a requirement in my line of work (Hence the low points) but more something I am curious about.>>

  You can distribute a MDB as in MDE format, which removes all the source code.  However that does cause other problems.  Outside of that, no.  Access and VBA are both easily broken.  As you mentioned, there are many utilities out on the net to crack them.  

LVL 15

Author Comment

ID: 12028488
ThanX for the reply Jim!
    I have gotten so used to the ease of using MDB files instead of MDE's (especially since Access looses report formating so easily).  I also do programming in Excel & Word, so was more curious in the "general" aspect of the VBA project security.
    Is there really a known "back door" to the VBA Project password? Or is that just what the company calls their brute force attack?

Your input is appreciated, and if no one else feels the need to enter the discussion by tomorrow I will award you full points. Like I said above it is basically a leisurely, for info question from my perspective, but I have rarely seen questions older than a day generate much new input in this TA due to the sheer volume of questions.

God bless!
LVL 36

Expert Comment

ID: 12029857

anyone with local access to the system can potentially crack anything..vba, access security...even the machine administrator password..(and therefore possibly sql server integrated security)...i've got a nice linux based utility that fits on a floppy here that resets a win2k admin pwd to the network admin, i only use the tool for good..and keep it locked in the safe (not that it's not available on the internet) but you can see where this could be a problem with anything regarding all depends on time and how much effort they want to expend.

make things as difficult as possible and that's about all you can do...

One trick you can use for many passwords is to use special extended characters eg: alt-numpad-123

Most if not all brute force cracks can not deal with these chars (at least last time i checked) and your passwords remain safe(r)

note that some programs can't deal with them test it first...

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

LVL 15

Author Comment

ID: 12031093
ThanX Sid!
    I'm still fishing for one particular answer though (this is not to say your comment was not good and appreciated). Is this program really exploiting a "back door"? If so it does not seem like any clever passwords would be any better than jus using "me". I mean if the program can just delete or re-set the password without having to discover the old one, then...

Thank you for your input!

LVL 36

Accepted Solution

SidFishes earned 150 total points
ID: 12031398
Not sure of the specifics of the "feature" but as far as i can tell it's a true backdoor

"Professional Edition has an additional feature: VBA backdoor. With it, the password is not being recovered at all; however, you're able to open VBA project (to view/edit the code) after entering any password; of course, you should have the application (this document has been created with) installed."

I'm going to post a q on a security board i frequent and see if someone knows the exact mechanics of the "feature"

in the meantime let's sing!...

You say toMAYto I say toMAHto
You say poTAYto I say poTAHto
Microsoft says Feature I say Exploit

LVL 36

Expert Comment

ID: 12031405
All together now

...Let's call the whole thing off...

LVL 26

Assisted Solution

dannywareham earned 100 total points
ID: 12038902
I've found limited means of protecting my databases, but it basically means creating lots of security measures - its still not hack proof.

How I generally do it is:

1. Create a users table and use a function to return the computer login name (this can also be done with IP address)
2. Use VBA to check if the user exists - if not close the app.
3. Disable the bypasskey
4. Set a db password (easily broken)
5. Password protect all VBA
6. Distribute as MDE

As I say - still not perfect, as, if you crack the db password, you can import objects into a new db.

Unfortunately, as long as there are people wanting to break into anything (applications, code, property), there will always be this problem.

LVL 15

Author Comment

ID: 12041967
Hi Guys,
ThanX for joining in on the discussion! Your points were appreciated. I increased the total points, and gave 100 to both dannywareham & JDettman, and 150 to sid fishes for the info about the "back door".

God bless!

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
Access custom database properties are useful for storing miscellaneous bits of information in a format that persists through database closing and reopening.  This article shows how to create and use them.
With Microsoft Access, learn how to specify relationships between tables and set various options on the relationship. Add the tables: Create the relationship: Decide if you’re going to set referential integrity: Decide if you want cascade upda…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question