Mark A Matte
markamatte at hotmail.com
Wed Dec 20 11:26:07 CST 2006
Hello All, I was asked to look at an A97 db. At first glance it was apparently created by the addressBook wizard. When I found they paid 2 or 3 grand for it about 6 years ago...kinda made me ill...but anyway. The I noticed some of the forms required a password. I looked at the tables...and sure enough there was tblPassword that had the input mask set to 'Password'...so I switched it...and there were the passwords...so I thought...they were all numbers. I tried the numbers when opening the forms...but no luck. Here is another confusing part...the db opens to Switchboard with the db window minimized...nothing is locked down...its wide open...why a password? Anyway...I went to design view...and what I found...really amazed me. There are about 16 lines of code that takes whatever you type in...does some Asc() some MOD some -+/* and loops through all of these calculations to come up with a number. I then realized that the numbers in the password table actually matched to a word/phrase/number and case sensitive. Since there is a single number that was the result of a list of calculations...I can't think of anyway to figure out what phrase would match the existing numbers. But I can put a phrase in...step through the code...see the resulting number...then go put it in the table. Has anyone seen/done something like this? Even thought this was 'purchased'(consultant came in and built...still makes me ill)....there is no documentation...or information related to who wrote this code...It should be ok to post here? Just curious what approaches others use for security. In and .MDE this would be brilliant in my opinion. Thanks, Mark A. Matte _________________________________________________________________ Experience the magic of the holidays. Talk to Santa on Messenger. http://clk.atdmt.com/MSN/go/msnnkwme0080000001msn/direct/01/?href=http://imagine-windowslive.com/minisites/santabot/default.aspx?locale=en-us