Jump to content

hide password


AndreasBoehmer
 Share

This topic is 7330 days old. Please don't post here. Open a new topic instead.

Recommended Posts

Each one of my registered users can chose a username and password themselves. They are two normal fields in FMP and the whole security works fine. However, the way it is set up at the moment, I can simply open the database and see all their passwords. I don't really feel good about that, seeing that a lot of people use the same password for all their accounts and emails, etc. Also, I am afraid that somebody else might have a look at the database (the server is standing in a room that is sort of accessible to a few people).

Is there a way to replace the password-characters in FMP with the famous asterisks? So that nobody can see them, even with full access-rights to the database?

Link to comment
Share on other sites

Hi,

I have a really dumb workaround for this:

The password field has to be on the layout that is accessed from the web, but it doesn't have to be visible in Filemaker. You can just make it very small type white-on-white or hide it behind a coloured box.

Only you would know it was there.

I guess there's no way to make a field completely unreadable, because it would show up as plain text anyway as soon as you exported the records.

regards, Jeff

Link to comment
Share on other sites

I have a really neat solution for this. It involves running a script. That means it involves a workaround to the single-thread problem. Anyhow, the user registers their name and password once. Through a script the record which is created by the web is deleted - nothing left to see. In the process the client's personal information is removed to a remote db file. A unique id is established which is used for all further reference in another file which is web companion accessible.

When the client re-enters the site, they then go through a confirmation process (name and password) which is done through a script. Whoops, more workaround required. But the most sensitive information is never accessible through the web or the db files serving the web.

Link to comment
Share on other sites

The problem with any symbol based font is that although you cannot immediately tell that the password is "12345", it is pretty easy to figure out that it is that string of characters fron the "[email protected]#$%" symbols used .

Using a font that is only made up of a single symbol, such as the standard "*****", it is impossible to tell the difference between any characters.

Link to comment
Share on other sites

If you want the ultimate security, you don't actually store the password at all. You create a one-way hash function and store the hash of the password. Then, when the user tries to log in, he enters his password into a global field. Filemaker calculates the hash value on the global field and compares it with the stored hash value. If they are the same, then log the user in. If not, then as Anne Robinson would say, "goodbye."

For anyone not familiar with one-way hash functions, they are functions which produce a seemingly random (but repeatable) number from some input (the password in this case). They are designed so that you cannot determine the original input from the output (hence the "one-way"). The hash function has to generate a large enough output (say 128 bits or 16 characters) that there is negligible chance of someone randomly entering a password that would produce a matching hash.

Anyone with full access to the files could change the user's password, but could not derive a user's existing password.

Link to comment
Share on other sites

This topic is 7330 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.