Hi, I have a file dsn containing encrypted password. I need to get the decrypted password and perform the steps). We are not storing password anywhere else. Is there any way to get the PWD using some routine or sybase tool? We are using Sybase version 9.0.2 (DBODBC9.DLL)..pretty old Any help is highly appreciated. Thanks asked 27 Jul '11, 13:33 Vineet Volker Barth |
Thanks all for giving attention to this. As i said earlier, retrieving plain text password(PWD) from ENP is possible but steps need to perform manually. There is alternate way to do it:
My concern was to do it through some script or executible. answered 29 Jul '11, 04:57 Vineet |
Ok, I have researched this topic some more and as a result I have completed redacted my previous response because it is completely bogus and I want to make sure that I correct my mistakes. It turns out that there isn't much point in "encrypting" your password using ENP - see below. The correct answer is that it is easy to get back your plain text password from the "encrypted password" (ENP) value. I have quoted "encrypted password" because, even though the password value is mangled to be something that is not easily remembered, there is no key required to get the original text back. Therefore the ENP value should be treated as a way of obfuscating the password text rather than encrypting it. Here is how you can get your original plain text from the ENP value on Windows:
So a note to all users: do not use ENP as a method to secure your passwords. Storing your password anywhere on your computer is not a good idea. This warning is given in the SQL Anywhere documentation for the ENP parameter:
answered 27 Jul '11, 13:39 Mark Culp Thanks Mark for quick response. Problem in hand: 1. I have database created with password A. created file dsn. 2. password gets changed to B. 3. B is known to me. I need to reset password A into database which is in encrypted form. Can I either decrypt the encrypted password and then reset it into the DB or reset using encrypted password (if possible)?
(27 Jul '11, 14:06)
Vineet
Replies hidden
I cannot think of a way of resetting the pasword back to A given that you only have ENC(A).... but why not just change your FILE DSN to have its password set to B or ENC(B)?
(27 Jul '11, 14:43)
Mark Culp
Thanks for the suggestion but that is more difficult for out project.we are maintaining multiple databases and this will introduce other complexities in terms of upgrade and other operations(pwd change, db access)
(27 Jul '11, 19:04)
Vineet
Mark, does your explanation only work for file DSNs? For regular DSNs on Windows, my impression is a totally different one: In case you set "No" to the "Encrypt password" option in the ODBC administrator, it's easy to get this password in plain sight, even if it has been stored encrypted before. Works for all SA versions I have used so far. (I won't tell the details.) AFAIK, the ENP parameter is primarily useful to prevent eaves-dropping - it's obfuscation, not encryption. Besides that, you can still connect with the encrypted form when using a connection string with "UID=...;ENP=...".
(28 Jul '11, 03:55)
Volker Barth
Replies hidden
OK, File DSNs don't seem to store plain passwords. Regular DSNs can do.
(28 Jul '11, 04:41)
Volker Barth
@Volker: You are correct, you will not be able to save/store a plain text password in a File DSN using the ODBC Administrator tool... but you can store a plain text password in a User DSN or System DSN. Of course this is not recommended... and FWIW it is not recommended storing of ENP passwords in a DSN either (see warning in my revised answer).
(28 Jul '11, 15:44)
Mark Culp
Interestingly enough, I remember a discussion with Nick Elson on that (somewhat unexpected) ENP/DSN behaviour years ago in the newsgroups... And I decided not to reveal/disclose the details here - but I'm glad you did.
(28 Jul '11, 16:38)
Volker Barth
...and you could obviously copy the ENP password from a File DSN into a similar User/System DSN and de-obfuscate it that way...
(28 Jul '11, 16:40)
Volker Barth
Yes, copying the ENP password from the File DSN to the User/System DSN is the point of my steps that I have outlined. I will make this clearer in my answer.
(28 Jul '11, 17:30)
Mark Culp
|
Besides Mark's corrected answer, there's one more caveat to note (as I already wrote in a comment): Unless you use a tool that only allows an UID and a PWD to connect (e.g. MS Access/Jet with ODBCDirect mode, IIRC), you can usually connect with the obfuscated form directly by replacing the PWD with ENP in the connection string. So you would be able to connect to a SQL Anywhere demo database with both connection strings just as well: -c "UID=DBA;PWD=sql;ENG=..." -c "UID=DBA;ENP=39f2ce6e;ENG=..." (I have not tested the exact values but taken them from Mark's answer.) answered 28 Jul '11, 16:55 Volker Barth Yes, this is correct.
(28 Jul '11, 18:03)
Graeme Perrow
|
There's no way to get the value of an encrypted password, but you can use the ODBC administrator to create a new one. Use the ODBC administrator (odbcad32.exe) to create a user DSN and enter the new password in plaintext. Make sure the "encrypt password" checkbox is checked before saving it. Then use dbdsn -g to read the DSN, which will display the ENP= value. Then you can edit your FileDSN with the new value. answered 27 Jul '11, 14:53 Graeme Perrow Thanks Graeme. Is there a way to toggle between check and un-check the "encrypt password" check box using some tool or programmatically? I have to reset pwd back to original value. I can do this manually and decrypt the password but am looking for some tool or API which can do it for me. will SQLConfigDataSource or ConfigDSN API be able to help?
(27 Jul '11, 18:57)
Vineet
Replies hidden
[2011/July/28] This comment is completed bogus. See my revised answer for the correct response.
(27 Jul '11, 22:35)
Mark Culp
|