Access 2007
My OS is win 7 Prof 64 bit and I use Access 2007. I have a very small database that I created which I want to protect both at the file level as well as the data level. i.e. if someone opens the file, it will ask for a password which should be very hard to find within the application. And the other is if the thief does succeed, the data will be encrypted and it will be seen as garbage without entering another password. How does one go about doing this, and hope the Gurus can please show me how.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Every hacking attack is successful depending on hacker's knowledge. It does not matter if you are using Accesss or SQL Server. OK, to copy SQL Server database is a bit more difficult but principles described by Jack are still valid...
You should decide what security level is necessary for your small app.
1) You may encrypt the whole harddrive (Windows 7 Ultimate allows it) so nobody low experienced can read the stolen HD. More info: http://en.wikipedia.org/wiki/BitLocker (But the thief can ask for the password as the first step...)
2) You may encrypt the database only. More info: http://windows.microsoft.com/en-us/windows/encrypt-decrypt-folder-file#1TC=windows-7 (you may also find open source file crypting software on the web)
3) You may store your data into a cloud or remote server (it is hard to steel such files for ordinary people but...)
4) You should not store passwords into the app but users should know them. The app should store and compare just the hash calculated from the password entered by users.
Remember the fact each encryption requires strict rules for periodic data archiving because the archive restore is the cheapest way how the get your corrupted or stolen data back. (Of course, the archive can also be stolen...)
You should decide what security level is necessary for your small app.
1) You may encrypt the whole harddrive (Windows 7 Ultimate allows it) so nobody low experienced can read the stolen HD. More info: http://en.wikipedia.org/wiki/BitLocker (But the thief can ask for the password as the first step...)
2) You may encrypt the database only. More info: http://windows.microsoft.com/en-us/windows/encrypt-decrypt-folder-file#1TC=windows-7 (you may also find open source file crypting software on the web)
3) You may store your data into a cloud or remote server (it is hard to steel such files for ordinary people but...)
4) You should not store passwords into the app but users should know them. The app should store and compare just the hash calculated from the password entered by users.
Remember the fact each encryption requires strict rules for periodic data archiving because the archive restore is the cheapest way how the get your corrupted or stolen data back. (Of course, the archive can also be stolen...)
Access 2007 made some big changes in the password protection for 2007, so I'd say that except for the most determined hacker a password-protected database would suffice for most needs
Password protection in 2007+ automatically encrypts the file, but not the data in the file (at least to my understanding), so if I know the password I would see all data in plain text. The only way to actually encrypt the data would be to create routines that handle data inserts/updates for you, and perform your encryption there. This would of course be a big performance hit, so if you go this route take that into consideration.
That said, I agree with Jack regarding the viability of Access as a "secure" database platform. If you're overly concerned with data security, then Access probably isn't the best choice. Microsoft SQL Server Express is free and has all the security features of it's big brother, and it integrates well with Access. You might consider moving to that platform.
Password protection in 2007+ automatically encrypts the file, but not the data in the file (at least to my understanding), so if I know the password I would see all data in plain text. The only way to actually encrypt the data would be to create routines that handle data inserts/updates for you, and perform your encryption there. This would of course be a big performance hit, so if you go this route take that into consideration.
That said, I agree with Jack regarding the viability of Access as a "secure" database platform. If you're overly concerned with data security, then Access probably isn't the best choice. Microsoft SQL Server Express is free and has all the security features of it's big brother, and it integrates well with Access. You might consider moving to that platform.
Thank u for the solution I needed. Gracias
Access has a deserved reputation of being insecure for means of protecting sensitive data. This is typically the top reason that people would migrate to a SQL Server backend.
Consider that Access is:
- a file based BE, meaning anyone who can write data through the FE has permissions to copy the BE file
- weak in protection to the point that someone who knows their way around fairly well can typically break any imposed protection.
Give the fact that it's file based and you only need a knowledgeable person to get past the minimal security, it's quite easy for someone to grab a copy of the file, take it home and plug away at it.
All that said, it's enough for many cases, but if you're quite concerned over it, you may want to consider a different backend for your Access application.
Cheers