On 8 Mar 2010, at 02:49, "Maddin, Peter" <[email protected]
> wrote:
I need to call a C# method from MS Access 2003.
Do you really need to do it in C# (.Net)?
I need to pass in a string and return a string.
[...]
The goal is to pass in a string (which will be a password) and
return a hash of that string using MD5 or something similar.
[...]
If all you need is something to generate an MD5 hash and nothing more,
you could use an MD5 implementation directly - afterall, MD5 is MD5.
There are a number of VBScript/VBA implementations to select from.
Remember to add a unique salt (per user). I often see systems where
you do a GROUP BY+COUNT() on the password column and you can see a
pattern - a number of users with the same hash which is usually the
MD5 hash of 'password', a known default, or similar (rainbow table
attack).
If you are concerned that someone can easily read your VBA code and
your salt, then you have other things to worry about. Using a .Net
class only offers obscurity and we all (should) know that obscurity
isn't security.
Of course, using a *shared* .Net class is useful, but as I said, MD5
is MD5 and, IMO, sharing that subroutine for the sake of potential
instability may not be worth it.
There is, of course, a performance argument - but how often does one
need to check a password hash in the user's session lifecycle (it is
Access afterall).
I think I broke the rule of '1 fact per email'.
Regards Peter Maddin
Applications Development Officer
PathWest Laboratory Medicine WA
Phone : +618 9473 3944
Fax : +618 9473 3982
E-Mail : [email protected]
--
Richard Carde
