HUGE PROBLEM -- FORGOT PASSWORD

[Joseph31]

I have misplaced... my Full access Privileges Password... I need to add a new person to my list of people to logon to my database.

Is there any way to find out or change this master password...

HELP

Joseph

[Raybaudi]

Hi,

can you send a clone ?

[CyborgSam]

Lost FM7 passwords are not recoverable.

FM7 passwords are not stored in the database file. The password is run through an encryption process and the result of this calculation is stored in the file. When the user enters the password, it is encrypted using the same calculations and the result is compared to the result stored in the file.

Decrypting would take an unreasonably long amount of time using today's supercomputers, assumming you could delineate the result in the file...

[Raybaudi]

...but someone, sometimes can ! :worship:

[Tony O]

Fm offers a service to recover files - mayhap they can also use their wizardry to recover your passwords. try this link, there's a phone number to call for a consulation whether or not they can help-

Filemaker Support Options

hth,

Tony

[stanley]

Joseph:

Try these guys.

http://www.lostpassword.com/filemaker.htm

-Stanley

[CyborgSam]

Joseph: Try these guys. http://www.lostpassword.com/filemaker.htm -Stanley

How does their software manage to crack FileMaker's scheme? Is FileMaker's definition of "extremely difficult" way off base?

FileMaker's tech brief "Upgrading to FileMaker 7: How to employ the new, advanced security system" states:

FileMaker Pro 7 does not store passwords in the database file. Instead it stores a hash of the password. A hash is the one–way, non–reversible result of performing a mathematical rule on a string of data. Even if the hash were recovered, it is computationally infeasible to reverse the process and thereby to obtain the original data: the password. When the user presents his or her credentials for authentication, FileMaker Pro hashes the credentials and compares them with the ones in the file. If there is a match, the user is authenticated as valid. This makes it extremely difficult to “crack” passwords.

[stanley]

Sam:

I don't know if their software works or not. I used them to recover a client's lost QuickBooks password a couple of years ago, and it ran some mad algorithm that produced ALL the usernames and passwords associated with the file. I don't want to waste the money to find out for myself if their FMP7 solution works - perhaps Joseph31 will use it & let us know. If it does work, then I'll worry a bit, too.

-Stanley

[CyborgSam]

Stanley->

I downloaded the FileMaker Key Demo demo, created a FM7 database with a 2 character password, and it very quickly gave me the password!

I assume it works by trying every combination of characters. I wonder how long it would take to try every combo for an 8 character password.

Also, somewhere I read that the hash is not stored at a defined location in the file. I wonder if these folks have figured out how to determine where it's stored or do they compare their hash to certain areas in the file.

[CyborgSam]

More password info from the "FileMaker 8 Security Guide" (guide_fm8_security.pdf):

With FileMaker networking, account names and passwords use a one-way encryption algorithm that prevents them from being deciphered by password-cracking tools. User account names and passwords are verified on the host computer, preventing hacking attempts on the client computer, or attempts to crack passwords with the executable or temp files. You must store your account name and password in a safe location. If you lose the account name and password, you will have to re-create the files.

I verified that passwords in FM7 created files are not stored as plain text, so the previous info seems correct. So why is it so easy to crack?

[stanley]

Sam:

That's bothersome. Even so, I'm more concerned that the tool might work over a networked solution (obviously a very serious security issue) or that it might be able to crack a runtime, which would be awful for folks who are relying on them as commercial products. Any chance you'd be able to check those?

-Stanley

[CyborgSam]

Stanley->

The FileMaker Key Demo only opens files. It did crack a runtime solution's .USR file (same as the .fp7 AFAIK). But the question is: how hard would it be for someone to crack a networked solution?

Cracking the file is easier, once the hash's location is know it's simple to do many iterations to compare. But over a network connection FileMaker client allows 4 failures, greatly increasing the time needed to crack. IWP doesn't seem to limit failed logins...

[stanley]

Sam:

Thanks for all of that useful (and a bit disturbing) info. I'll download the demo myself and have a look into this.

-Stanley

[Steven H. Blackwell]

The actual tool works differently from the demo. Basically it strips out all the account information and overwrites it with its own information. It then returns that information to you. Files that have been so damaged arelikely not reliable.