The question that never gets answered.. why ?

The question that never gets answered.. why ?

Post by Amamb » Wed, 02 Nov 2005 22:29:54


I posted the question below twice in the last several months and never
got any answers.

Is this because nobody knows, or because nobody cares to answer ?

The question is - is Money for PPC database encrypted, or is the
password there for "obfuscation" only ?

I tried Spb Pocket Finance and the program was able to import data from
Money for PPC v4 without asking for my password.

If the data is not encrypted, then anyone who ever steals your PPC
could get much of your financial info.
 
 
 

The question that never gets answered.. why ?

Post by Dick Watso » Thu, 03 Nov 2005 00:52:24

Have you tried looking at the data file to see if there's any plaintext? The
question probably hasn't been answered because nobody here knows or cares
enough to go try and figure out. If you watch the NG for a while, you will
see that our rate of questions answered is very high.

I don't know what underlies the PPC version. On the XP side, it's MSISAM
which is, apparently, JET in drag. Newer versions of JET supposedly
actually do something to encrypt the data. I do not know how robust (cypher
strength) the encryption is. There have been password crack tools, however.
I also don't know whether these tools work well with strong passwords.

If you are really worried about this, I'd suggest you not use the PPC or use
it only in a reasonably RF-tight Faraday cage. There are other security
exposures besides loss of physical control of the device.

 
 
 

The question that never gets answered.. why ?

Post by Amamb » Thu, 03 Nov 2005 09:32:47

Well, I am not worried about NSA or FBI finding out my account numbers
- they know it already.

A common thief has a different set of tools, and a database that was
encrypted with a long password and a strong algorythm is usually pretty
safe.

I wonder just how many people sync very sensitive information (bank
account #s, pin #s, etc) that is contained in the Account details in
their Money file, thinking that MS bothered to provide some kind of
security on PPC side.
 
 
 

The question that never gets answered.. why ?

Post by Dick Watso » Thu, 03 Nov 2005 12:25:52

We don't know that they didn't. Have you looked at the file for plaintext?
 
 
 

The question that never gets answered.. why ?

Post by Amamb » Thu, 03 Nov 2005 21:41:43


No, but as I said, Spb Pocket Finance was able to import my Money data
from PPC Money database without asking for a password.

It is well may be that the data is "obfuscated" in some way so that you
can't read it in a plaintext editor, but I doubt that it's really
encrypted, at least not in 2004 version.

Thanks for your help. I wish MS has released some data about Money file
security; I haven't found anything yet.