I am planning on deploying a fairly unsophisticated web application
using ASP. The app will read a user's record from an Access database
stored on the web server (the database file will not be anywhere
within wwwroot), display the contents of the record (in a pre-filled
out form) to the user, allow the user to makes any changes in the
form, and then submit the form information, which would then be
written to a new database.

My question goes to security. My plan is for each record in the
database to have a 4-digit PIN, so that only a user who can present
the right combination of account number (stored in a separate field)
and PIN can access their respective record. This seems too simple to
provide effective security. Am I right?

Also, what are the possible exploits a hacker could use to gain access
to the database. OK, that's a real open-ended and vague question, but
there it is anyway.

Finally, does using SQL server (as opposed to a simple DSN-less
connection to an Access database) provide better security from
unauthorized access to my data, or does it just multiply the
opportunities for intrusion?