2011-11-03

Pastel 2011 user password encryption

Do you have a pastel file that is password protected and you don't have the password?

Note: Make a backup before attempting the following.
*The following was tested on Pastel 2011, but is likely to work for other versions as well.

Pastel accounting software makes use of the Pervasive SQL database to store all the accounting data. Open the Pervasive.SQL Control Center (there should be a start menu entry). In Pervasive.SQL Control Center open the "AccountUser" table (follow the tree structure from Engines > $Computername$ > Databases > $Pastel database$ > Tables > AccountUser). If the database you are looking for isn't listed, then add a new database and pointing the location to the folder with your Pastel company's data in.

Now that the "AccountUser" table is open you will see the following fields: Password; ID; Description; AccessTable; ...

The Password field is an Char(8) encrypted using a caesar cipher shifted 18 places to the right on the ASCII table. eg. An encrypted password "twwRRRRR" is actually "bee". Note that the empty spaces of the field are denoted with the character "R".

If you wish to clear the password for a specific user, change the user's password field to "RRRRRRRR".

If you wish to decrypt the password, I find it best to copy the password into a HEX editor, subtract 12 (Hex) from each CHAR and convert the result back to ASCII to obtain the original password.
To edit the password is the opposite of the decryption.

Yey for awesome Pastel security features! Why do they store the actual password, when using hashes for password verification is standard good practice? Why implement a password feature when the data it protects isn't even encrypted (we are able to view/edit the data directly through the Pervasive.SQL Control Center or other applications, eg. Excel making use of ODBC, but more on that later).

So much for trying to keep your confidential Pastel accounting records confidential.

No comments:

Post a Comment