Yet another security hole

[BobWeaver]

This seems to be a better place to continue the discussion that began in this thread.

I've been doing some experimenting with Filemaker's security system as a result of the discussions in the above topic.

There are generally two parts to any encryption system: the encryption algorithm, and the secret key value that the algorithm uses to do the encryption and decryption. With the experimenting that I did, I worked out the algorithm that is used to encrypt/decrypt Filemaker passwords, but I didn't initially find how to retrieve the key. However, because of a rather serious flaw in the algorithm, it is possible to decrypt most passwords without even knowing what the key is. When I say most passwords, I mean any password that uses only the low 127 printable ASCII characters. It's a trivial procedure to decrypt any password that uses these standard characters. Of course, if you know the key, then it's possible to decrypt any password, no matter which characters it uses. However, it certainly seems prudent to use passwords that include a mix of high and low characters in order to be safe against this flaw in the security.

[RodinBangkok]

Bob, this is all very disturbing information, given FMI's lack of response to most issues of late, I have little hope of them doing anything about these issues either. Our database's fortunately are all internal to our organization, as we grew we were talking about doing some online work between locations, but this now is absolutely out of the question. But even with only an internal LAN we will now start looking at alternate methods to protect our most sensitive information.

Given this sloppy approach to security how can anyone providing solutions ever guarantee any level of security to their customers. This again raises the issue for us whether FM is going to be our long term DB solution....Not good news but very valuable news for us.

[mse]

What do you think/know about 4D ?

[Anatoli]

RE: Our database's fortunately are all internal to our organization, as we grew we were talking about doing some online work between locations, but this now is absolutely out of the question.

That is strange! You will not use encrypted channels for such communications?:

If yes, why you worry? If not then someone absolutely stupid designed that system and you will have much serious problems, than the FM login.

RE: But even with only an internal LAN we will now start looking at alternate methods to protect our most sensitive information.

Even in FM you can build login system, which will use combination of FM security and will not ask for FM passwords, e.g. with Simple Dialog and Dialog Magic.

RE: What do you think/know about 4D ?

I cannot answer that and be polite in the same moment

[mse]

Anatoli said:

RE: What do you think/know about 4D ?

I cannot answer that and be polite in the same moment

You are not a consultant, you are a gentleman !

[Anatoli]

Ok

So I am unemployed gentleman

[Lee Smith]

ROTFLMAO

ah, but you can see the light at the end of the tunnel now, if I remember right?

[Anatoli]

Absolutely

[mse]

Anatoli said:

Ok

So I am unemployed gentleman

Dear Sir,

Would you be so kind as to turn your attention to (and, dare I say, to invest some of your precise spare time in) a problem in question? As a gentleman's caprice ?

[BobWeaver]

As Anatoli pointed out, if your files are available via the internet, you can use secure channels to restrict access to them.

The important thing is that you have to trust the people who have legitimate access to the files.

BTW: What makes anyone think that 4D, or Access or any other database is any more secure than Filemaker?

[mse]

BobWeaver said:

BTW: What makes anyone think that 4D, or Access or any other database is any more secure than Filemaker?

I did not find a password recovery program for 4D at 45$ yet

[BobWeaver]

4D may be more secure than Filemaker. I don't know. I suspect the main reason that there's no password recovery program available for 4D is because there's not a big enough market for it compared to Filemaker.