cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Decrypt DSN password ENP to PWD

Go to solution
Former Member

on ‎2011 Jul 27 2:33 PM

27,150

Hi,

I have a file dsn containing encrypted password. I need to get the decrypted password and perform the steps). We are not storing password anywhere else.

Is there any way to get the PWD using some routine or sybase tool?

We are using Sybase version 9.0.2 (DBODBC9.DLL)..pretty old

Any help is highly appreciated.

Thanks

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
Breck_Carter
Participant
‎2011 Jul 28 4:47 AM
0 Kudos

Please delete your reply... this is not the forum for advocating unethical or criminal activities.

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎2011 Jul 29 5:57 AM

Thanks all for giving attention to this.

As i said earlier, retrieving plain text password(PWD) from ENP is possible but steps need to perform manually.

There is alternate way to do it:

  1. you have file dsn with Encrypted Password.
  2. create one dummy system/user DSN from ODBC administrator tool. On login tab give dummy username and password.
  3. Chech encrypt password chech box. Press OK.
  4. Run regedit. go to ODBC.INI. Copy paste Encrypted password's value from file dsn to ENP in the registry.
  5. go back to the DSN through ODBC administrator tool. uncheck the encrypt password check box. press ok.
  6. PWD value in the registry will be updated with the actual password in plain text.

My concern was to do it through some script or executible.

Show replies
Show replies

Answers (3)

Answers (3)

MarkCulp
Participant
‎2011 Jul 27 2:39 PM
There is no method of getting the decrypted password from the encrypted password stored in your DSN... if there was then there wouldn't be much point in encrypting it!

Ok, I have researched this topic some more and as a result I have completed redacted my previous response because it is completely bogus and I want to make sure that I correct my mistakes. It turns out that there isn't much point in "encrypting" your password using ENP - see below.

The correct answer is that it is easy to get back your plain text password from the "encrypted password" (ENP) value. I have quoted "encrypted password" because, even though the password value is mangled to be something that is not easily remembered, there is no key required to get the original text back. Therefore the ENP value should be treated as a way of obfuscating the password text rather than encrypting it.

Here is how you can get your original plain text from the ENP value on Windows:

  1. Create a user DSN using dbdsn that includes the ENP value (copied from your File DSN) in the connection string.
    Example: dbdsn -w foo -c uid=dba;ENP=39f2ce6e
  2. Start the ODBC Data Source Administrator tool.
    Example, on a command prompt use: start odbcad32
  3. Open (configure) the User DSN that you have created - in my example this would be "foo".
  4. Switch to the Login tab of the ODBC Configuration for SQL Anywhere dialog box and uncheck the Encrypt password check box.
  5. Click OK to save the User DSN
  6. Back in your command prompt use dbdsn to get the DSN connection string:
    Example: dbdsn -g foo
    The output from my example is
          foo: UID=dba;PWD=sql;INT=NO
    Note my original encrypted password "39f2ce6e" was "sql".

So a note to all users: do not use ENP as a method to secure your passwords. Storing your password anywhere on your computer is not a good idea. This warning is given in the SQL Anywhere documentation for the ENP parameter:

Caution

When creating a data source, it is recommended that you do not include the encrypted password as part of the definition. Although both the ODBC Configuration For SQL Anywhere window in the Windows ODBC Data Source Administrator and the SQL Anywhere Data Source utility (dbdsn) have this capability, including this information poses a security risk.

Show replies
Show replies
Former Member
‎2011 Jul 27 3:06 PM
0 Kudos

Thanks Mark for quick response.

Problem in hand: 1. I have database created with password A. created file dsn. 2. password gets changed to B. 3. B is known to me. I need to reset password A into database which is in encrypted form.

Can I either decrypt the encrypted password and then reset it into the DB or reset using encrypted password (if possible)?

MarkCulp
Participant
‎2011 Jul 27 3:43 PM
0 Kudos

I cannot think of a way of resetting the pasword back to A given that you only have ENC(A).... but why not just change your FILE DSN to have its password set to B or ENC(B)?

Former Member
‎2011 Jul 27 8:04 PM
0 Kudos

Thanks for the suggestion but that is more difficult for out project.we are maintaining multiple databases and this will introduce other complexities in terms of upgrade and other operations(pwd change, db access)

VolkerBarth
Contributor
‎2011 Jul 28 4:55 AM
0 Kudos

Mark, does your explanation only work for file DSNs?

For regular DSNs on Windows, my impression is a totally different one:

In case you set "No" to the "Encrypt password" option in the ODBC administrator, it's easy to get this password in plain sight, even if it has been stored encrypted before. Works for all SA versions I have used so far. (I won't tell the details.)

AFAIK, the ENP parameter is primarily useful to prevent eaves-dropping - it's obfuscation, not encryption. Besides that, you can still connect with the encrypted form when using a connection string with "UID=...;ENP=...".

VolkerBarth
Contributor
‎2011 Jul 28 5:41 AM
0 Kudos

OK, File DSNs don't seem to store plain passwords. Regular DSNs can do.

MarkCulp
Participant
‎2011 Jul 28 4:44 PM
0 Kudos

@Volker: You are correct, you will not be able to save/store a plain text password in a File DSN using the ODBC Administrator tool... but you can store a plain text password in a User DSN or System DSN. Of course this is not recommended... and FWIW it is not recommended storing of ENP passwords in a DSN either (see warning in my revised answer).

VolkerBarth
Contributor
‎2011 Jul 28 5:38 PM
0 Kudos

Interestingly enough, I remember a discussion with Nick Elson on that (somewhat unexpected) ENP/DSN behaviour years ago in the newsgroups...

And I decided not to reveal/disclose the details here - but I'm glad you did.

VolkerBarth
Contributor
‎2011 Jul 28 5:40 PM
0 Kudos

...and you could obviously copy the ENP password from a File DSN into a similar User/System DSN and de-obfuscate it that way...

MarkCulp
Participant
‎2011 Jul 28 6:30 PM
0 Kudos

Yes, copying the ENP password from the File DSN to the User/System DSN is the point of my steps that I have outlined. I will make this clearer in my answer.

VolkerBarth
Contributor
‎2011 Jul 28 5:55 PM

Besides Mark's corrected answer, there's one more caveat to note (as I already wrote in a comment):

Unless you use a tool that only allows an UID and a PWD to connect (e.g. MS Access/Jet with ODBCDirect mode, IIRC), you can usually connect with the obfuscated form directly by replacing the PWD with ENP in the connection string.

So you would be able to connect to a SQL Anywhere demo database with both connection strings just as well:

-c "UID=DBA;PWD=sql;ENG=..."
-c "UID=DBA;ENP=39f2ce6e;ENG=..."

(I have not tested the exact values but taken them from Mark's answer.)

Show replies
Show replies
graeme_perrow
Advisor
Advisor
‎2011 Jul 28 7:03 PM
0 Kudos

Yes, this is correct.

graeme_perrow
Advisor
Advisor
‎2011 Jul 27 3:53 PM

There's no way to get the value of an encrypted password, but you can use the ODBC administrator to create a new one. Use the ODBC administrator (odbcad32.exe) to create a user DSN and enter the new password in plaintext. Make sure the "encrypt password" checkbox is checked before saving it. Then use dbdsn -g to read the DSN, which will display the ENP= value. Then you can edit your FileDSN with the new value.

Show replies
Show replies
Former Member
‎2011 Jul 27 7:57 PM
0 Kudos

Thanks Graeme. Is there a way to toggle between check and un-check the "encrypt password" check box using some tool or programmatically? I have to reset pwd back to original value.

I can do this manually and decrypt the password but am looking for some tool or API which can do it for me.

will SQLConfigDataSource or ConfigDSN API be able to help?

MarkCulp
Participant
‎2011 Jul 27 11:35 PM
0 Kudos
As I said in my answer, you cannot get the unencrypted password from the encrypted value. Graeme's answer is telling you how you would go about creating a new encrypted password in your DSN.

[2011/July/28] This comment is completed bogus. See my revised answer for the correct response.

Ask a Question