Secure Microsoft Access Passwords and Encryption in Access 2007

An article by Garry Robinson with research from Wayne Phillips

Hello Microsoft Access fans and skeptics. In this article, I am going to describe how you can improve on what already is a very significant security improvement in Access 2007, database encryption. The technical research for this article was provided by Wayne Phillips from everythingaccess.com.

Microsoft Access 2007 introduced a new file format for storing Access database information. This file format can be identified by any file that ends with .ACCDB. Whilst Microsoft Access 2007 still supports the file type of .MDB, the future of Access is going to be built around the .ACCDB format.

One of the most significant changes with the .ACCDB format is a new method of encryption that is based around the database password. This change is a very significant security improvement because encrypted ACCDB databases are (in theory) strong enough that they can only be cracked using very computer intensive brute-force password recovery. Of course, as with all security, if lots of people do things the same way the risk is far higher that someone will work out how to breach the security. This definitely will apply to encrypting an Access 2007 database because the default encryption algorithm used is RC4 with a 40-bit key, one that is not as strong as it could be. In this article I am going to show you how to make your password encrypted database more secure than the standard ACCDB encryption.

What is this encryption thing and why is it important

Here I would like to surmise from a detailed article on this topic by Wayne Phillips from the everythingaccess.com website. Wayne writes “Under the hood, Access 2007 reads and writes to the .ACCDB file in chunks also known as ‘pages’.  These pages are of a fixed size: 4096 bytes long.  Encryption occurs at page-level and in order to keep things simple (and for performance reasons) the encrypted pages must also be 4096 bytes long. In the ACCDB, every encrypted ‘page’ has a unique key which is derived from a password hash (which includes random base data). This is very significant because now the database password is no longer stored in the file (unlike earlier versions). This approach means only brute-force password recovery is possible.

Another thing that Wayne points out is The default encryption uses only a 40-bit key, which does let it down a little, but fortunately this can be bumped up to 128-bit encryption. Further on in this article, I will show you how to do that.

Before you start encrypting

If you are like me, when you read an article about databases, you will be tempted to rush to try it out on the database you are using. In this case, don’t do this; use the databases that come with this article and experiment in a folder that doesn’t have any other database. When you’re ready to add a password to your own database, make sure you have a system for remembering passwords e.g. Printed and stored in a safe deposit box.

Encrypting an Access 2007 Database with the standard 40 bit key

To encrypt a database, getting started is a similar process to that which you had to undertake for Access 2003 encryption. First you have to open Microsoft Access without selecting a database and then you browse to the database using the Open More Files option (see RHS of figure 1). After you choose the database, click the down arrow next to the Open button (see bottom of figure 1) and choose Open Exclusive.


Figure 1 – Open your database exclusively

Choose the Database Tools tab and choose Encrypt with Password as shown in Figure 2.


Figure 2–Password Encryption on the 2007 ribbon

Enter a strong password (letters and numbers and special characters) and verify. Please write down your password somewhere at this stage.

Changing a password

Every now and again it is a good idea to change the database password. To do this, open the database exclusively. Now you will find the Decrypt Database button has replaced the Encrypt With Password button on the Database Tools tab in the Access ribbon. Use that button to remove the password.

Encrypting an Access 2007 Database with a 128 bit key

As mentioned before, Access now supports different RC4 encryption algorithm providers (also called cryptographic providers). Now let’s see how you can encrypt your ACCDB database with a longer key length, giving stronger encryption. Before you do this, it is recommended that you have a recent full system back up because you will now be shown how to change the Windows registry.

To apply a stronger encryption to an ACCDB database, you need to make changes to your registry. To do this, click on the Windows start button and choose Run and enter RegEdit into the program dialog box.

Navigate through the hierarchy in the registry to the following key

HKEY_CURRENT_USER/Software/Microsoft/Office/12.0/Common

Note: the 12.0 in this registry key means Office 2007

Create a new key called Security (as shown in figure 3) if it doesn’t already exist.


Figure 3 ~ creating a key in the registry

Create Multi-String Value called DefaultEncryption (if doesn’t exist) as shown in figure 4:


Figure 4 ~ create a multi-value key in the registry

Rename the value New Value #1 as shown in figure 5 to

DefaultEncryption


Figure 5 ~ renaming the field value

Paste the following (on 3 separate lines in the one box) as shown in figure 4:

Microsoft Enhanced Cryptographic Provider v1.0
RC4
128


Figure 6 ~ adding the encryption setting values

Note: The format for the multi-value string is:

Value 1. Encryption provider name
Value 2. Encryption Algorithm
Value 3. Encryption Key Length

That completes your registry setup and the next time you encrypt a 2007 database, the (stronger) encryption algorithm that you specified in the registry will be used.

Note: If you are worried that this is all too complex; remember only the person who applies a password has to make this registry key change. For everyone else, Access will sort out the encryption method to use from information inside the database.

Checking what encryption key has been used

If you navigate to the database in Windows Explorer, right click on the filename and choose to Open With Notepad or a hex editor of your choice as shown in figure 7.


Figure 7 ~ how to look at the database in Notepad (in Windows XP Explorer)

Once you have the database open in your editor as shown in figure 8, you can find the encryption algorithm written near the top of the file. If no encryption has been used this area will be blank.


Figure 8 ~ The encryption used is visible in an editor

Warning: whatever you do please don’t change and save the database file when using these types of editors or you may corrupt it.

Finally you may even be tempted to try other RC4 encryption providers. One way to find out what other RC4 encryptors are on your machine is to save a Word file in encrypted format as shown in Figure 8.


Figure 9 ~ Microsoft Word will show you encryption algorithms on your computer

Cleanup

If you don’t like the concept of 128 bit encrypted databases and want to return to using the standard 40 bit encryption, rename or delete any registry entries that you have added to the registry whilst following this article. After that, remove the password and add the password again.

Performance

One topic that I have neglected in this article is performance. If you’re thinking of encrypting a database that had already runs slow, please test performance before implementing encryption and after implementing encryption. You may notice different performance for different encryption algorithms.

Compressed files are not compressed

If the database has been encrypted, compressing using a tool such as WinZip will not compress the file at all.

To Find Out More

To find out more detail about encryption and Access passwords, I highly recommend that you head to this article by Wayne Phillips.
http://www.everythingaccess.com/encrypt

Here is what Microsoft has to say on this topic in an article that is aimed towards encryption of the more popular Office file types.
http://office.microsoft.com/en-gb/help/HA011403111033.aspx

For a description of RC4
http://en.wikipedia.org/wiki/RC4

For a description of SHA password encryption
http://en.wikipedia.org/wiki/SHA-1

For an overall description of the security measures for Access 2007, read Garry’s article for Microsoft
http://msdn.microsoft.com/en-us/library/bb421308.aspx

Download Samples

The sample download that I have set up includes a database that has NOT been encrypted, one that has been encrypted with RC4 with 40 bits key length and one that has been encrypted to RC4 with 128 bit key length. You will need Access 2007 to make these databases work and the password I have used for these samples is vb123.com

I suggest that you open the 128 bit encrypted file on all target computers to make sure that the encryption algorithm exists on those computers. If it doesn’t, those computers won’t be allowed to open the database.

Recommendations

Use strong passwords to prevent brute-force attack
Use the RC4-128 bit encryption algorithm if security is critical

Test that RC4-128 encrypted databases can be opened by your key users

About my researcher

Wayne Philips is a very smart fellow that has provided an Access database recovery service at http://www.everythingaccess.com for a number of years and truly understands the structure of an Access Database. I found this out because Wayne has solved problems for me that would have stumped most of the best Microsoft Access specialists that I have met.

» See All Articles by Columnist Garry Robinson

Garry Robinson
Garry Robinson
Garry Robinson was the editor of www.vb123.com and the Access Unlimited Newsletter. He wrote a book on Microsoft Access Protection and Security and has written many articles for the Smart Access Magazine. Amongst Garry's online contributions is an Access 2007 Security paper for MSDN at http://msdn2.microsoft.com/en-us/library/bb421308.aspx. When Garry isn't working, he likes playing golf, snorkeling and being dragged along to kids soccer and kids basketball and kids golf and kids surf lifesaving and the second son hasn't even started sports yet!

Get the Free Newsletter!

Subscribe to Cloud Insider for top news, trends & analysis

Latest Articles