Passwords - Easily Viewing Them

[The Flying PM]

Hello Community,

I found something, just now, that is a bit disconcerting. Maybe I'm missing
something.

I have a password-protected (read-only) project file and anyone that can
read it, can also find the password to the file. Again, they don't have to
know the password for write access. Anyone that can physically access the
file (pull it up in read-only mode) can relatively easily discover the
password to the file, and thus, get full write access.

Has anyone else encountered this?

 

[Jim Aksel]

This is not as disconcerting as it may seem. Anyone with read access to the
file has the ability to save their own copy (with our without write
protection). As long as the write protection password is in place and the
file is opened as read only, the original file cannot be overwritten with a
newer version. So, in order to corrupt the orginal file, the correct write
password must be supplied. Copies of the file that are made without the write
protection are uncontrolled.

A problem is created here, however. Since we typically publish a weekly
file (as read only), the Cost Account Managers routinely save another copy
and make changes to that. They send us that file as their "updates" and we
need to be careful that we don't overwrite the original with their modified
version. This was solved with a PDF file distribution.

 

[JulieS]

FlyingPM~

Could you give us some more information -
What version of Project are you using?
I am noticing several issues with password protected files in Project
2007.

When you say the password is visible -- where can you see it?

I hope this helps. Let us know how you get along.

Julie
Project MVP

Visit http://project.mvps.org/ for the FAQs and additional information
about Microsoft Project

 

[The Flying PM]

All,
My concern is that I didn't know people could easily find the clear text
password.

JulieS - Here's a quick run down on the steps:

- Project Professional 2003 (11.2.2005.1801.15) SP2
- Create a new dummy mpp and throw a couple tasks into it
- Do the normal File->Save As->Tools->General Options, and put in a write
password.
- Close the file.
- Re-open the file and do NOT enter the password. Open the file read-only.
- Click on Tools->Macro->Record New Macro
- Now that the macro is being recorded, click File->Save As
- In the "Save as Type" dropdown, select Microsoft Access Database
- Finish the steps to export to Access
- Stop recording the macro
- Pull up the macro to edit it in the VBE and you will see the password
(which the user did not enter when pulling up the file as read-only) stored
in the script as clear text.

 

[The Flying PM]

Jim,
I don't mind people being able to copy the plan and do what they want to
with it. What I don't want is people being able to see the password we use in
clear text. We sometimes, as humans do, don't follow strict security
protocols. For example, we use the same password for multiple things. With
project behaving this way, they can get the clear text password and access
all of our files that use that password.

 

[Jack Dahlgren]

Interesting, When I try to open a write protected file as read-only it gives
an error.

-Jack

 

[Jim Aksel]

This problem is reproducable in MS Project 2007, using the same procedure.
Instead of using Access, I attempted to export to XML. I am able to see a PW
in plain text if I edit the Macro.

[Julie: reference my e-mail to you, there is additional detail]

Thanks for bringing this up.

Jim

 

[Jim Aksel]

Yes, I get that same error in 2007. See my above post as well, I can
reproduce the password visibility error in 2007 if I key in the password
first. Of course, that is silly, I would have to know the password to run
the macro. But it appears we have stumbled on a problem with 2007.

 

[JulieS]

Hi Jack ~

With Project 2007, yes, I get an error. Project 2003 no error but I can
reproduce what the Flying PM noted.

Julie
Project MVP

Visit http://project.mvps.org/ for the FAQs and additional information
about Microsoft Project

 

[The Flying PM]

Do you MVPs have an express lane to report this to MS?

 

[JulieS]

Hi Flying PM~

Well, I can exactly reproduce what you detail. The password is also
recorded in clear text if I save as another project file.

I'm sorry, I don't have a suggestion for a fix or work around but I will
pass this along.

Julie
Project MVP

Visit http://project.mvps.org/ for the FAQs and additional information
about Microsoft Project

 

[JulieS]

I wouldn't call it an "express lane", but we do have some communication
channels that we are using to log this issue

Thanks for the clearly defined steps Flying PM. It makes the
communication much easier!

Julie
Project MVP