Password limitations

[Guest]

Hi, I am working on an audit project that involves security for Access, and
would love your thoughts and expertise. I am an auditor, not a developer, so
please make your responses as idiot-friendly as possible.
The company I'm working for uses logon authentication for their users to be
able to get into Access. The databases they can see are restricted based on
their logon. The questions I have are regarding passwords. I have been told
the following:
1) Passwords are a maximum of 6 characters
2) There is no password expiry in Access
3) Users are not locked out of Access after so many failed attempts to login.
It has been explained to me that these are Access limitations and cannot be
changed. Can anyone verify or point me to a support area somewhere where I
can evidence that these issues are indeed Access limitations, or, am I being
misinformed and these limitations could be corrected? From an audit
standpoint, these limitations could cause some weakness concerns.

Thanks for your help!!
HB

 

[Rick Brandt]

Hi, I am working on an audit project that involves security for
Access, and would love your thoughts and expertise. I am an auditor,
not a developer, so please make your responses as idiot-friendly as
possible.
The company I'm working for uses logon authentication for their users
to be able to get into Access. The databases they can see are
restricted based on their logon. The questions I have are regarding
passwords. I have been told the following:
1) Passwords are a maximum of 6 characters
2) There is no password expiry in Access
3) Users are not locked out of Access after so many failed attempts
to login. It has been explained to me that these are Access
limitations and cannot be changed. Can anyone verify or point me to
a support area somewhere where I can evidence that these issues are
indeed Access limitations, or, am I being misinformed and these
limitations could be corrected? From an audit standpoint, these
limitations could cause some weakness concerns.

Thanks for your help!!
HB

While I can't positively answer your specific questions ( I do think your
current information is correct), I would say that any situation with a high
enough security concern to even consider these issues is likely far beyond
the puny security capabilities of Access security.

Access security is breakable, both easily and quickly by anyone determined
enough to perform a Google search and spend a few dollars. If you are
concerned about protecting the data from outsiders then place the file in a
folder that is protected by NT network security and rely on that rather than
the security built into Access. If you need to protect the data from the
same people who are using the database, then the data should NOT be stored
in an MDB file. Move it to a server database that has more robust security
capabilities.

Access security is fine for what it is capable of and for what Microsoft
would likely tell you it is approproiate for which is to discourage casual
snoops and unsophisticated miscreants. It is not much of a barrier to
someone who knows what they are doing.

 

[Jonathan Shelby]

Hi Rick / HB,

I agree with Rick on this one as well. I provided an audit a while ago
regarding the same issues and came up with the same observations. However,
there seems to be an over reliance on the fact that there will be other risk
mitigations in play.

Therefore you may want to check the other supporting security measures
depending on the risks posed to the infrastructure / application whilst
understanding the business needs, requirements and capabilities.

Regards,

JS

 

[Guest]

Thank you both for your input. That's what we had thought, but it's nice to
have it verified. Now...how to prove that to the external auditors!!

Thanks and regards,
HB

 

[TC]

HB wrote:

(sniP)

FWIW at this stage:

1) Passwords are a maximum of 6 characters

The user-level passwords are 15 or 16 characters, surely? (I don't have
Access here to check).

2) There is no password expiry in Access

That can be coded quite easily.

3) Users are not locked out of Access after so many failed attempts to login.

True.

HTH,
TC