Please be aware that the content in SAP SQL Anywhere Forum will be migrated to the SAP Community in June and this forum will be retired.

Decrypt DSN password ENP to PWD

2
1

Hi,

I have a file dsn containing encrypted password. I need to get the decrypted password and perform the steps). We are not storing password anywhere else.

Is there any way to get the PWD using some routine or sybase tool?

We are using Sybase version 9.0.2 (DBODBC9.DLL)..pretty old

Any help is highly appreciated.

Thanks

asked 27 Jul '11, 13:33

Vineet's gravatar image

Vineet
1405814
accept rate: 25%

edited 28 Jul '11, 16:56

Volker%20Barth's gravatar image

Volker Barth
40.2k361550822
4 Answers:
active answersoldest answersnewest answerspopular answers
1

Thanks all for giving attention to this.

As i said earlier, retrieving plain text password(PWD) from ENP is possible but steps need to perform manually.

There is alternate way to do it:

  1. you have file dsn with Encrypted Password.
  2. create one dummy system/user DSN from ODBC administrator tool. On login tab give dummy username and password.
  3. Chech encrypt password chech box. Press OK.
  4. Run regedit. go to ODBC.INI. Copy paste Encrypted password's value from file dsn to ENP in the registry.
  5. go back to the DSN through ODBC administrator tool. uncheck the encrypt password check box. press ok.
  6. PWD value in the registry will be updated with the actual password in plain text.

My concern was to do it through some script or executible.

permanent link

answered 29 Jul '11, 04:57

Vineet's gravatar image

Vineet
1405814
accept rate: 25%

5
There is no method of getting the decrypted password from the encrypted password stored in your DSN... if there was then there wouldn't be much point in encrypting it!

Ok, I have researched this topic some more and as a result I have completed redacted my previous response because it is completely bogus and I want to make sure that I correct my mistakes. It turns out that there isn't much point in "encrypting" your password using ENP - see below.

The correct answer is that it is easy to get back your plain text password from the "encrypted password" (ENP) value. I have quoted "encrypted password" because, even though the password value is mangled to be something that is not easily remembered, there is no key required to get the original text back. Therefore the ENP value should be treated as a way of obfuscating the password text rather than encrypting it.

Here is how you can get your original plain text from the ENP value on Windows:

  1. Create a user DSN using dbdsn that includes the ENP value (copied from your File DSN) in the connection string.
    Example: dbdsn -w foo -c uid=dba;ENP=39f2ce6e
  2. Start the ODBC Data Source Administrator tool.
    Example, on a command prompt use: start odbcad32
  3. Open (configure) the User DSN that you have created - in my example this would be "foo".
  4. Switch to the Login tab of the ODBC Configuration for SQL Anywhere dialog box and uncheck the Encrypt password check box.
  5. Click OK to save the User DSN
  6. Back in your command prompt use dbdsn to get the DSN connection string:
    Example: dbdsn -g foo
    The output from my example is
          foo: UID=dba;PWD=sql;INT=NO
    Note my original encrypted password "39f2ce6e" was "sql".

So a note to all users: do not use ENP as a method to secure your passwords. Storing your password anywhere on your computer is not a good idea. This warning is given in the SQL Anywhere documentation for the ENP parameter:

Caution

When creating a data source, it is recommended that you do not include the encrypted password as part of the definition. Although both the ODBC Configuration For SQL Anywhere window in the Windows ODBC Data Source Administrator and the SQL Anywhere Data Source utility (dbdsn) have this capability, including this information poses a security risk.

permanent link

answered 27 Jul '11, 13:39

Mark%20Culp's gravatar image

Mark Culp
24.9k10141297
accept rate: 41%

edited 28 Jul '11, 17:31

Thanks Mark for quick response.

Problem in hand: 1. I have database created with password A. created file dsn. 2. password gets changed to B. 3. B is known to me. I need to reset password A into database which is in encrypted form.

Can I either decrypt the encrypted password and then reset it into the DB or reset using encrypted password (if possible)?

(27 Jul '11, 14:06) Vineet
Replies hidden

I cannot think of a way of resetting the pasword back to A given that you only have ENC(A).... but why not just change your FILE DSN to have its password set to B or ENC(B)?

(27 Jul '11, 14:43) Mark Culp

Thanks for the suggestion but that is more difficult for out project.we are maintaining multiple databases and this will introduce other complexities in terms of upgrade and other operations(pwd change, db access)

(27 Jul '11, 19:04) Vineet

Mark, does your explanation only work for file DSNs?

For regular DSNs on Windows, my impression is a totally different one:

In case you set "No" to the "Encrypt password" option in the ODBC administrator, it's easy to get this password in plain sight, even if it has been stored encrypted before. Works for all SA versions I have used so far. (I won't tell the details.)

AFAIK, the ENP parameter is primarily useful to prevent eaves-dropping - it's obfuscation, not encryption. Besides that, you can still connect with the encrypted form when using a connection string with "UID=...;ENP=...".

(28 Jul '11, 03:55) Volker Barth
Replies hidden

OK, File DSNs don't seem to store plain passwords. Regular DSNs can do.

(28 Jul '11, 04:41) Volker Barth

@Volker: You are correct, you will not be able to save/store a plain text password in a File DSN using the ODBC Administrator tool... but you can store a plain text password in a User DSN or System DSN. Of course this is not recommended... and FWIW it is not recommended storing of ENP passwords in a DSN either (see warning in my revised answer).

(28 Jul '11, 15:44) Mark Culp

Interestingly enough, I remember a discussion with Nick Elson on that (somewhat unexpected) ENP/DSN behaviour years ago in the newsgroups...

And I decided not to reveal/disclose the details here - but I'm glad you did.

(28 Jul '11, 16:38) Volker Barth

...and you could obviously copy the ENP password from a File DSN into a similar User/System DSN and de-obfuscate it that way...

(28 Jul '11, 16:40) Volker Barth

Yes, copying the ENP password from the File DSN to the User/System DSN is the point of my steps that I have outlined. I will make this clearer in my answer.

(28 Jul '11, 17:30) Mark Culp
showing 3 of 9 show all flat view
1

Besides Mark's corrected answer, there's one more caveat to note (as I already wrote in a comment):

Unless you use a tool that only allows an UID and a PWD to connect (e.g. MS Access/Jet with ODBCDirect mode, IIRC), you can usually connect with the obfuscated form directly by replacing the PWD with ENP in the connection string.

So you would be able to connect to a SQL Anywhere demo database with both connection strings just as well:

-c "UID=DBA;PWD=sql;ENG=..."
-c "UID=DBA;ENP=39f2ce6e;ENG=..."

(I have not tested the exact values but taken them from Mark's answer.)

permanent link

answered 28 Jul '11, 16:55

Volker%20Barth's gravatar image

Volker Barth
40.2k361550822
accept rate: 34%

Yes, this is correct.

(28 Jul '11, 18:03) Graeme Perrow
0

There's no way to get the value of an encrypted password, but you can use the ODBC administrator to create a new one. Use the ODBC administrator (odbcad32.exe) to create a user DSN and enter the new password in plaintext. Make sure the "encrypt password" checkbox is checked before saving it. Then use dbdsn -g to read the DSN, which will display the ENP= value. Then you can edit your FileDSN with the new value.

permanent link

answered 27 Jul '11, 14:53

Graeme%20Perrow's gravatar image

Graeme Perrow
9.6k379124
accept rate: 54%

edited 27 Jul '11, 14:53

Thanks Graeme. Is there a way to toggle between check and un-check the "encrypt password" check box using some tool or programmatically? I have to reset pwd back to original value.

I can do this manually and decrypt the password but am looking for some tool or API which can do it for me.

will SQLConfigDataSource or ConfigDSN API be able to help?

(27 Jul '11, 18:57) Vineet
Replies hidden

As I said in my answer, you cannot get the unencrypted password from the encrypted value. Graeme's answer is telling you how you would go about creating a new encrypted password in your DSN.

[2011/July/28] This comment is completed bogus. See my revised answer for the correct response.

(27 Jul '11, 22:35) Mark Culp
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×48
×17
×15

question asked: 27 Jul '11, 13:33

question was seen: 25,772 times

last updated: 29 Jul '11, 09:42

Related questions

Are there plans to improve the storage of passwords in ODBC DSNs?

BCrypt password hashing function

Password encryption for ODBC

Storage setup for security and performance

Protecting intellectual property

simple encryption question

SQL AnyWhere 17.0.10: Convert strings with a specific value

HELLO! What is the minimum privilege for dbbackup -x?

Adaptive Server Anywhere 9.0 Driver and System DSN Not Appearing

How do I expunge all SQL code from a database?