none
Persist Security Info =false Fails to Remove Password With Access 2007 RRS feed

  • Question

  • I'm trying to create a dll that developers can use to connect to a password-protected Access 2007 database without knowing the password. I can connect to the database fine using the connection string:

    "Provider='Microsoft.ACE.OLEDB.12.0'; Data Source=' & Source & '; Persist Security Info=false;Jet OLEDB:Database Password=testpassword;"

    When the connection is returned, however, the connection string still contains the password despite setting the "persist security info" keyword to false. Is there a way to remove the password from the connection string so that it is not visible to developers?

    Thanks!

    Saturday, September 10, 2011 9:22 PM

Answers

  • I don't believe there is a way to remove it from the Connection instance, no. You would probably need to create a Class that wraps the Connection object and that doesn't expose the connection string info.
    Paul ~~~~ Microsoft MVP (Visual Basic)
    • Marked as answer by VeliRolls Thursday, September 15, 2011 6:26 PM
    Thursday, September 15, 2011 11:53 AM

All replies

  • Hello VeliRolls,

    Thanks for your post.

    As far as I know, Persist Security Info is the property which you can choose to keep your connection information or not after your connected to the database.

    From MSDN library:

    Setting Persist Security Info to true or yes will allow security-sensitive information, including the userid and password, to be obtained from the connection after the connection has been opened. If you are supplying a userid and password when making a connection, you are most protected if that information is used to open the connection, and then discarded. As a result, your option that helps to provide greater security is to set Persist Security Info to false or no.

    This is especially important if you are supplying an open connection to an untrusted source or persisting connection information to disk. Keeping Persist Security Info as false helps ensure that the untrusted source does not have access to the security-sensitive information for your connection and also helps ensure that no security-sensitive information is persisted to disk with your connection string information.

    Persist Security Info is false by default.

    I hope this can help you.

    

    Have a nice day,


    Jackie Sun [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Tuesday, September 13, 2011 6:04 AM
    Moderator
  • Thanks for the quick response. When connecting to an Access 2003 database I can set "Persist Security Info =False" in the connection string, and once the connection is open the password is stripped out of the connection string. Thus I can require developers to go through a dll to connect to the database and return the connection without them having direct access to the database password.

    However, in Access 2007 setting "Persist Security Info =False" does NOT strip the password out of the connection string. This effectively makes the dll pointless.

    So, my original question: "Is there a way to remove the password from the connection string so that it is not visible to developers?" should be modified to read "Is there a way to remove the password from the connection string FOR AN ACCESS 2007 DATABASE so that it is not visible to developers?"

    And is this change in the treatment of the connection string upon setting "Persist Security Info" to false a bug?

     

    Tuesday, September 13, 2011 2:38 PM
  • AFAIK, the Persist Security Info option only works for connection strings using the "Password" or "Pwd" parameter, so "Jet OLEDB:Database Password" would not be supported.

     


    Paul ~~~~ Microsoft MVP (Visual Basic)
    Tuesday, September 13, 2011 3:36 PM
  • Thanks, Paul. So does this mean there is no way to hide/remove the password from the connection string when connecting to an Access 2007 database?

     

     

    Tuesday, September 13, 2011 7:32 PM
  • Hi, you could try this way:

    Store the connection string in a config file, and use DPAPI to encrypt the
    sensitive bits. Here's a link to an MSDN mag article that's a good starting
    point:
    http://msdn.microsoft.com/msdnmag/is...a/default.aspx

    Hope this can help.

    Have a nice day,


    Jackie Sun [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Thursday, September 15, 2011 8:10 AM
    Moderator
  • I don't believe there is a way to remove it from the Connection instance, no. You would probably need to create a Class that wraps the Connection object and that doesn't expose the connection string info.
    Paul ~~~~ Microsoft MVP (Visual Basic)
    • Marked as answer by VeliRolls Thursday, September 15, 2011 6:26 PM
    Thursday, September 15, 2011 11:53 AM