Environment:
MS NT 4.0
MS Word 97
IBM DB2 ODBC Client (and DB/2 on an OS/390 mainframe)
What to do:
1.) Create a Word document referring to the database (e.g. a mass
mailing letter accessing a DB/2 address database).
2.) Connect to the database, enter your userid and password for the
database server in the dialog.
3.) Save the document while the database connection is still established
(i.e. while you can still browse through the data in the database).
Effect:
The saved Word document contains your database server userid and
password ***in cleartext***!!! (except for a blank inserted every second
character, e.g. "pass" is stored as "p a s s").
You can check with any ASCII editor, e.g. Notepad.
Not good if your documents are on a fileshare to which others have read
access, even worse if you attach such a document to an external email!
We didn't check if the same is true for other MS Office applications
(Excel, ...) and for other databases requiring userids and passwords,
but we see no reason why other ODBC connections should behave better.
DI. Dr. Klaus Kusche
Oberoesterreichische Landesregierung / Government of Upper Austria
Rechenzentrum / Computing Centre
Smail: Kaerntnerstrasse 16, A-4020 Linz, Austria (Europe)
Phone: +43 732 7720 - 3394 Fax: +43 732 7720 3198
Email: Klaus.Kusche@ooe.gv.at