Andreas - If someone were to crack the SAS014 encryption and obtain the decrypted value from the {SAS014} encoded passwords, they would get a one way hash of the original clear text password which could not be used in SAS code to open the data set. You are correct that a brute force attack on the eight character alphanumeric passwords is an exposure. That’s why the administrator can set 3 different values for each to greatly change the number of possible clear text passwords from 27*(37**7) to (27**3)*(37**21). But perhaps we need to re-examine the documentation and clearly state that the MBL passwords could be used to gain access to the data so that the administrator is more careful in his/her choice of passwords and in guarding knowledge of them.
... View more