Secure LOGON template

[Singlequanta]

Heres a cut down version of our secure logon system. I've modified one of Filemaker 5.x's generic templates to work with the solution. This is a rudamentary implementation but gives you an idea of how it works.

Username: steve

Password: secret

or

Username: guest

Password: guest

Oh... you will need Troi's Dialog Plugin http://www.troi.com for the solution to work. The use of this plugin can be removed but I was too lazy to do it for this demonstration.

Cheers!

Version: v7.x

Platform: Windows XP

signon.zip

[BobWeaver]

Unfortunately it's not very secure. I have uploaded a copy of the files that includes another file "ShowAccounts.fp5" which includes a portal to your SignOn.fp5 file and displays a list of all usernames and their passwords. Once someone has a list of usernames and passwords, it's pretty easy to log in.

HackedVersion.zip

[Vaughan]

Besides, you just need to get FMP 7 now. It is so cool.

[Singlequanta]

LOL Thanks Bob... I didnt think it necessary to go any further with the security, so I'll encrypt the usernames and passwords.

[Singlequanta]

Bob; ya forgot to upload the file

and yes, FM 7 is much better. I've only just started playing with it but what i see so far i really like.

Q

[BobWeaver]

No. There should be a file called ShowAccounts.fp5 in my attachment (check the attachment to my message, not yours).

Vaughan is right. There's not much point developing your own custom login any more. FM7 handles it all.

If you still need to distribute FM5 and FM6 solutions and you want a custom login system, then you really should get the Moyer and Bowers book. It discusses the various pitfalls.

[Singlequanta]

Very confused now

Bob thats great and certainly raises an eyebrow! I guess I'm puzzled because the signon file I included was supposed to be "permanently locked" to prevent anyone from either accessing it or creating new relationships to it.

How did ya do it? And do you think that encryptinng the password would be any use? Thanks greatly for your feedback.

[Vaughan]

I'm posting a demo FMP 7 file in the Samples forum now (well, soon anyway).

[Vaughan]

I just posted a security demo file i the FileMaker Pro Samples forum, and I've removed the attachment from this post. That keeps things a bit neater.

[Singlequanta]

Thanks Bob;

Have you had much opportunity to work the FM7 and it's user accounts? How do you rate it? I'd appreciate a brief thumbs-up/thumbs-down from you.

I'll go research that book and grab a copy. Like yourself we too will still have to live with FM6 for a while. I am still not shocked when I come across FM3 solutions that have been in place for eons.

Thanks again for your input.

[BobWeaver]

Hi singlequanta,

My only exposure to FM7 is what I've read so far. I'm still running on Mac OS9. I have an antique installation of OSX 10.0.1, or something like that. I have to go pick up a copy of Panther, I guess, and start playing. So, I'll defer to Vaughan and OAM for the FM7 accounts and privileges expertise. the point is that FM7 now handles all this directly, so it should be fundamentally more secure than an old style custom login system.

I'll send you an email describing the method I used to hack into your login system. Although it's not really secret knowledge, there's no point in making the method any more public than necessary.

[Vaughan]

I'd appreciate if you could CC meon that info Bob.

[BobWeaver]

I sent you a private message Vaughan.

[Vaughan]

Bob thanks.

[Steven H. Blackwell]

"If you still need to distribute FM5 and FM6 solutions and you want a custom login system, then you really should get the Moyer and Bowers book. It discusses the various pitfalls. "

With much respect to Chris and Bob, it doesn't begin to cover the issues or the insecurities or how to fix them. Maybe take a look at:

www.FMP-Power.com/MW_2004_FileMaker Security.pdf

Any system relying on "looping pauses", layouts used as "dialogs", data entered into log-on files, "library keys", relationbships to validate authentication, etc. arefuindamentally conceptually flawed and usually crack open in something less than 60 seconds.

Use FileMaker Pro 7 security; it was designed to deal with these issues.

Steven

Steven

[Steven H. Blackwell]

Regarding establishing relationships, ANY open file can have a relationship established TO it. The password privileges deal with defining relationships FROM the file.

Steven

[Himitsu]

just a lille not on FM7, I have it now on all my systems and I really like the user accounts setup and funtions. You can really customize it and if you have multiple files but set the same user name and password, it will auto-logon to those files too. I don't know if FM6 did that, but it sure does it in 7! Just my 2.6 Yen!