Incorrect Information On Passwords Presented at Devcon

[Steven H. Blackwell]

At the Devcon several people approached me concerned about information presented in a session relating to passwords. There are a couple of different versions of the story they all told, but the gist of it is as follows.

Apparently some people were storing FileMaker Pro account names and passwords in text fields as part of some sort of ersatz log-on system. The speaker apparently cautioned them against this practice; but the speaker apparently also told that if they chose to follow this practice that they could “protect” the information in the fields by turning off the index for that field.

The first piece of information is good: avoid the practice. The second piece of information is completely incorrect. Turning off indexing does nothing at all to protect the information. Indeed, it engenders a false sense of security that information is protected when, in fact, it is not protected.

The index has no bearing whatsoever on this issue. Unzip the attached archive and open FileB.fp7 and you can readily see the ersatz Account information in FileA.fp7 even though there is no indexing on either field in FileA.

Please do not store FileMaker Pro Account names or passwords in data fields. And do not rely on these ersatz “roll-your-own” type systems. They are full of vulnerabilities as described here on FMForums.

Steven

DemoFiles.zip