IT SOLUTIONS
Your full service technology partner! 
-Collapse +Expand
Paradox
Search Paradox Group:

Advanced
-Collapse +Expand Paradox To/From
To/FromCODEGuides
-Collapse +Expand Paradox Store
PRESTWOODSTORE

Prestwood eMagazine

September Edition
Subscribe now! It's Free!
Enter your email:

   ► KBDesktop Data...Paradox & Ob...Paradox Tables     Print This   
Go To Random Article
  From the September 2008 Issue of Prestwood eMag
 
Paradox Tables:
About Paradox Table Security--Encryption
 
Posted 6 years ago on 6/17/2008 and updated 9/1/2008
Take Away: Overview of using Paradox's table encryption to secure your data.

KB101193



Security is not what most people think it is. Usually when someone says, "I want my data secure". What they mean is that they want a 100% guarantee that no one will get to the data, no matter what. Unfortunately that's impossible. Making your data and your application secure is about adding layers of security. By implementing security best practices and adding layers of security, you can make your data as safe or safer than any organization's data. This article discusses adding Paradox's passwords to your Paradox tables to add a layer of security to protect your data. In the summary, I also discuss a couple additional layers you should think about implementing.

Overview

With Paradox tables, you can add passwords to each table that prevents users from opening the table, entering data, altering the structure of the table, etc. The passwords features of Paradox includes advanced features such as preventing certain users from updating only certain fields in a table!

Password Features:

  • Two Types of Passwords - Paradox tables offer two types (or levels) of passwords on each table. Each table can have one and only one master password and can have several auxiliary passwords.
     
  • Master Password -  With each table you can establish a master password which both grants access to the table and encrypts the data (to a degree) within it. The master password has full rights to the table or none. With a single master password it's all or nothing. This level of security works for some people and if you need an all or nothing approach, then just add a master password to every table. If you use the same password for all tables, you'll have to enter the password only once.
     
  • Auxiliary Passwords (Table-level) - With each auxiliary table, you can specify the following rights for the table:
    • Read-only
    • Read and Update
    • Read, Update, and Edit (data entry)
    • Read, Update, Edit, and insert/delete.
    • Read, Update, Edit, insert/delete, and restructure.
       
  • Auxiliary Passwords (Field-level) - Auxiliary passwords also allow you to grant access rights to each field. If the table rights are set to Read-Only, you can specify Read-Only or None for each field; for others, you can specify Full, Read-Only, or None.

Creating Password Protected Paradox Tables

To add a master or auxiliary password to an existing Paradox table, restructure it and select the Passwords tab. The Passwords tab is also available when you create a table. Select the Define button to create the master password. Notice the right-side options are not available for master passwords (it's all or nothing).

Create Master Password

 
Adding Auxiliary Passwords

Select Add to add an auxiliary password and Remove to remove one.

Bizarre Behavior Note For some reason, the designers of this dialog box really mangled up the user interface. The Table Rights panel uses a series of check boxes rather than radio buttons. Check boxes usually mean on or off for that item and when used in a series usually means any combination. Not so with Table Rights. It's a gradually increasing set of rights. Not a big deal but might throw some users.

Create auxilary password.

 
Tip
Whether I'm using Paradox tables, MS SQL 2005, Oracle, whatever, I generally create three levels of passwords (roles on MS SQL 2005). One master or full access password (used by the developer), one read-only password, and one edit password (defined in the dialog above). You can get more complicated if the application warrants it.

Using Password Protected Paradox Tables

Passwords are entered and used per BDE session. Once you enter a password to a session, any table that requires that password will automatically use it. The first time you attempt to use a password protected Paradox table, you'll have to enter the password. For example, the following dialog is displayed when you open a password protected Paradox table using Paradox for Windows.

Paradox, Enter Password

This dialog adds and removes passwords from the session. You can also get to it in Paradox for Windows by selecting Tools | Security | Passwords. It's a bit overdone (confusing) but it allows you to add a single password or multiple passwords as well as remove any previously entered password or all passwords. Enter a password you wish to work with and select either OK (dialog closes), Add (dialog stays open), or Remove (dialog stays open). To remove all previously entered passwords, select Remove All.

Summary

Adding security is about adding layers of protection. The more layers you add, the more secure your data. Adding Paradox passwords to your tables is a great way to add an additional layer of security. It's not the most secure encryption method, but it is a good additional layer of security. In addition to Paradox passwords, you should think about other issues including the following:

  • Be Pessimistic - Don't think "if a hacker", think "when". Too frequently apathy sets in until you've been attacked by a hacker trying to get your data. The time to think about security is before someone attacks.
     
  • Are your passwords secure? How and where you store your master list of passwords is important. If someone steals your passwords, then they will be one more step closer to getting to your data. If several people know your master passwords and your data requires a high-level of security, consider changing your master passwords periodically.
     
  • Physical Security - Your data is stored on some type of storage device. Is that device secured? How hard would it be for someone to steal the device? If someone steals your device, they can take a long amount of time trying to read it. Usually, hackers have great success with hex readers and other tools that look at and unscramble the raw bits stored.
     
  • Double Encryption - If you encrypt (obfuscate, scramble or mangle) the sensitive data in your tables prior to posting the data, you are adding yet another layer of security. That's helpful if someone does manage to get your passwords and the tables. I recommend you encrypt sensitive data such as social security numbers, credit card numbers, passwords, etc. prior to posting to a field in your database. Your data is more secure if you scramble sensitive data in the database and make use of Paradox's password features (double encryption).

That's it! If you have suggestions, comments, or questions, please post them below.

More Info

KB Post:  Paradox Tables - Lost Master Password Recovery
Article:  Security Tips: 13 Ways to Harden Your Code

Linked Message Board Threads

 Encrypting paradox tables in Paradox Tables MB Topic (13 replies)

Comments

1 Comments.
Share a thought or comment...

Anonymous
Comment 1 of 3

Driver={Microsoft Paradox Driver (*.db )};CollatingSequence=nordan;dbq=dbqPath;defaultdir=DirPath;driverid=538;fil=Paradox 5.X;maxbuffersize=2048;maxscanrows=8;pagetimeout=5;paradoxnetpath=netpath

;paradoxnetstyle=4.x;paradoxusername=admin;safetransactions=0;threads=3;

uid=admin;PWD=PWD;usercommitsync=Yes; 


I am using this connectionstring to access my password protected Paradox table. I can run my Select query. But getting "ERROR [HY000] [Microsoft][ODBC Paradox Driver] Operation must use an updateable query." this error. If i remove the password the query works fine. What would be the reason for this error? how to solve this?

thanks in advance.

---
Zobayer
Posted 38 months ago


A. I. Breveleri
Comment 2 of 3

"If i remove the password the query works fine. What would be the reason for this error?"

The most likely reason is that your Paradox driver session already has a password or passwords in effect, and at least one of those has write privileges, but the password that you are explicitly setting in the connect string is read-only.

-Al.

Posted 38 months ago


A. I. Breveleri
Comment 3 of 3

"Be Pessimistic".

Indeed, be very very pessimistic.  Both the Paradox engine (used by Paradox for DOS) and the BDE (used by Paradox for Windows, shipped with Delphi) contain and respond to built-in permanent passwords.  Most of the Paradox graybeards know these backdoor passwords, and you can probably find a Russian capitalist to sell them to you.

So it is not possible to construct a truly secure database using only the password protection coded into an unmodified BDE.  Even though few people know of these permanent passwords, and even fewer bother to remember what they are, it only takes one to compromise your data.

-Al.

Posted 38 months ago
 
Write a Comment...
Full Editor
Sign in...

If you are a member, Sign In. Or, you can Create a Free account now.


Anonymous Post:

Enter your name and security key.

Your Name:
Today's security key = P23A
Enter key:
KB Post Contributed By Mike Prestwood:

Mike Prestwood is a drummer, an author, and creator of the PrestwoodBoards online community. He is the President & CEO of Prestwood IT Solutions. Prestwood IT provides Coding, Website, and Computer Tech services. Mike has authored 6 computer books and over 1,200 articles. As a drummer, he maintains play-drums.com and has authored 3 drum books. If you have a project you wish to discuss with Mike, you can send him a private message through his PrestwoodBoards home page or call him 9AM to 4PM PST at 916-726-5675 x205.


 KB Article #101193 Counter
7986
Since 6/17/2008
-
  Load Time=less than 1 second.
 
Print This

KB Post Options:
You do NOT have KB edit
rights to this post.
-
 
Have a question? Need our services? Contact us now.
--Mike Prestwood

Call: 916-726-5675

email: info@prestwood.com


-
 
Connect With Us...
PrestwoodBoards
Join Us!
Facebook
Like our page!!!
Twitter
Follow us!
LinkedIn
Join Group
YouTube
View channel.
Go ahead!   Use Us! Call: 916-726-5675 


©1995-2014 Prestwood IT Solutions.   [Security & Privacy]   Made in the U.S.A..   No H1-B.   No offshoring.