Finding a way around a password protected db

[grimalkin]

Hi, new here. I just found this place because I was looking for something like this.

I have three dbs in FM, but they're all password protected. It's probably the same password, but I'm not that sure. I need to get access to these dbs, but I don't have the password. I work with publications, & these pubs were entered into the dbs. Then that info was put into an HTML file & uploaded to the group's website. The group would like their pub website updated, but I need to access the files for that. That info hasn't been updated since the woman who last worked here retired (there's been 3-4 temps in the interim, but I doubt they even touched the dbs). I think it's been a year and a half since then. She also wrote down the password, but she put it in a rolodex that was thrown away (nobody knew it was there, except for one other person, who knew the password location, not the actual password). The group's leader would like the website updated, but I can't do that without accessing the dbs. I've asked around, but I don't know anyone who has a lot of experience/knowledge using FM. Is there a way to get around a password protected db? Either get around it or break the password - either is fine with me. If I can't, I will have to pull the HTML files off the server & use those to create three new databases.

Please help.

[Computer Geek]

FileMaker Incorporated can retrieve the passwords for 6.0 and below. They cannot, according to their literature, retrieve 7.0 passwords.

[grimalkin]

How much does it cost to go through Filemaker Incorporated?

I found this little app called FileMaker Key . Has anyone used it & does it work?

[Lee Smith]

Hi grimalkin,

I don't think FileMaker offers this service any more, but here are some links that may help.

FileMaker's Knowledgebase has an article on this

http://www.filemaker.com/ti/101692.html Damaged Access Privileges, Can't Open File

The NY FileMaker Developer's Group has additional info here

http://masdevelopment.com:3455/1/57 Damaged Files and Hidden Corruption in FileMaker Pro

FileMaker now offers a file recovery service, to restore both data and structure

http://www.filemaker.com/support/technical_support.html File Recovery Service

Lee

[Lee Smith]

These are old links, but maybe helpful too.

FileMaker Password Recovery Key - fp3 fm files

http://www.filemaker.com/support/technical_support.html File Recovery Service

Password Busters: Password Recovery Profile f...

http://www.passwordbusters.com/profile_filemaker.htm

Filemaker Password Recovery Service

http://www.lostpassword.com/filemaker.htm

Lee

[grimalkin]

Thanks for the links, I think I will buy the FileMaker Password Recovery Key & get my passwords back.

[Computer Geek]

Here's the real question: Is there something out there to secure the passwords better so that programs like the above don't crack the passwords?

[Lee Smith]

This has been the topic of a many loooooooooooooog discussions in the not so distant past. Take a look at this recent Thread, Here and then click on the profile for Old Advance Man, and then click on All of User's Posts.

Old Advance Man (A.K.A. OAM) = Steven H. Blackwell, the man wrote the book on security and FileMaker.

HTH

Lee

[Computer Geek]

Lee, I looked through the not so distant past (as far back as Feburary) and I fail to see any that directly cover the question that I posted. I also looked through Advance Old Man's postings, and I don't see it addressed.

I downloaded a trial of the passaware and it cracked a FileMaker 7.0 password in 6 seconds flat. In reading the FileMaker literature, you get the impression that because the password is stored with hashes, etc and that if you lose your password, you are up the creek. Click on the following thread and you will see that as late as 6-1-04, this was posted and accepted by the forum.

As passaware clearily demonstrates, your password is not any safer from these 3rd party cracking tools then 6.0. Sure, it is stored with hashes and a text editior won't display it, but anyone with $45 can have all the usernames and passwords they want, including the full access ones.

There have been many great postings about how to secure your tables and fields from attack where the hacker doesn't know the password. Again, for $45, game over. So the question I pose is how do you combat that? If you are a developer and want to secure your intellectual property, or you want to secure a database from an *internal* hacker that may be able to get by firewalls and servers, how do you do that.

[LiveOak]

You can use FileMaker Developer (FM7) or FileMaker Developer Tool (FM5/5.5/6) to permanently prevent modifications to database structure. This prevents ANYONE from EVER making modifications or viewing that database structure.

-bd

[The Shadow]

I took a look at passware. The trial, which only handles two-char passwords that contain no high-ascii or japanese, it is simply guessing all possible two-letter ascii combinations till it finds it.

The actual passware program you buy for $45 is re-writing the password in the file with a random string, then reporting that to string to you.

In both cases, the password was not actually "extracted", so the previous logic that it cannot be extracted is still technically correct - there are more ways to skin a cat though.

[Computer Geek]

LiveOak, That is a real good point. I went to the passaware website and looked at the demo again. It says it does not work on files protected with developer tools.

Shadow, I couldn't find anything on the site that said it rewrites the password, but either way, it is kind of scary that for $45, you can quickly circumvent the password protection. You are right ... more than one way to skin a cat ....

[Vaughan]

Can this program crack a password on a file hosted by FMS?

[The Shadow]

Computer Geek - I wasn't reading the site, I ran a copy on some samples, the trial gives back exact passwords when it can at all - the real one always rewrites them to something new. This struck me as bait-n-switch: the trial doesn't even use the same technique as the actual program.

Vaughan, no it can't crack passwords of hosted files, it needs physical access to the file to rewrite it.

[Computer Geek]

Shadow ... Good info. It is kind of a bait and switch, but effective.

From the postings, a solution would be as follows:

1 - For hosted solutions, you rely on the security of your server, network, firewall. Depending on the solution, you could remove admin access with FM developer tools. For a lot of us, removing the access probably isn't feasable. If someone defeats your server, or an unauthorized internal person gets your database, they could gain access to your database.

2 - For developers interested in protecting intellectual property, removal of the access through FileMaker Developer would be a good option.

In both cases, it would have to be a cost/risk benefit analysis.