Terri,
It is as recoverable as any Windows Domain account/password. This is the
advantage/curse of it. When a user calls support complaining that their
password doesn't work you can reset the password to whatever in User Manager
(Windows NT) or Win2K Server's Active Directory Users & Computers. Why,
unless you want to be able to hack accounts, would you want to store the
account name & password in clear text on the local machine? Seems like and
invitation to a hacker to just steal everything. But . . . through the
Windows API's you can discover the currently logged in account name.
Password is another matter. And, this may not relate, but some services in
Windows 2000 can authenticate using Digest Authentication and that method
does ship the password across the network as clear text so it should be
possible to capture it. Last, but not least, if you defy my advice and
store the password in the connection string it's right there in that string.
Peeling it out is a simple matter of doing some fairly straightforward
string manipulation code.
But . . . I'd rather irritate my users and have better security.
"Terri" <te***@cybernets.com> wrote in message
news:cj**********@reader2.nmix.net...
Thanks Alan. I'd like to move to a Windows integrated security model
because
of its security advantages, but unless I can demonstrate that the password
is recoverable on the local workstation I'm not going to get very far with
the people who can make the decision to move to Windows integrated
security.
Thanks
"Alan Webb" <kn*****@hotmail.com> wrote in message
news:gY********************@comcast.com... Terri,
Don't save the password in the connection string. Two, Microsoft with
SQL
Server 2000 says that the recommended password scheme is Windows 2000
Integrated. But I am a stubborn, paranoid old cuss and don't like the
fact that a user can get to my databases by signing on to my Windows domain.
So I've got my SQL Server instance set up so it uses both SQL Server logins
independant of Windows. It's two account names/passwords for my users
but
then it's also harder to hack my databases so I leave it like that. But
.
. . when you set up an instance of SQL Server one of the choices you make
is
the authentication method. At the moment I am allowing Windows
Integrated
authenticated but then I am only one guy and three computers. If I was
getting paid by a client I'd probably set up my instance to require a
seperate login.
"Terri" <te***@cybernets.com> wrote in message
news:cj**********@reader2.nmix.net... > When I make change in the Connection screen in an adp I get the message
> "Your password will not be encrypted before it is saved to the file. Users > who view the source contents of the file will be able to see the
> account
> user name and password".
>
> I am trying to build a case for using NT accounts rather than SQL internal > accounts. What are the steps required to access the locally saved
> password?
>
> Thanks,
> Chris
>
>
>