Skip to content
View in the app

A better way to browse. Learn more.
FMForums.com

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

I'm stupid. Password recovery Help

grandwheatgrass
in Security Concepts

Featured Replies

SO, I'm working on a database where the staff permissions are controlled by filemaker. I've set up a pretty sweet database and then I was automating an account password change dialog (with dialogplugin) so that I could have the password typed in by the user saved in the staff table and also added to the filemaker permissions.

When I ran the script for the first time I changed my password and a dialog box (that I had set up) came up saying that my old password didn't match the old password in the FileMaker accounts. Now when I try to login to make changes to my database I am locked out of making changes (because only my user was authorized to make changes).

I know this defeats the purpose of permissions and security, but is there a way to recover a lost password when you don't have permissions to edit anything? I don't want to have to recreate this database because I was stupid enough to lock myself out.

Thanks for any help.

  • Author

Never mind. Sorry for wasting a post. I found a shareware application the recovered my password.

Since real FIleMaker passwords are not stored in FileMaker Pro files, I don't know what you recovered. Likely this was one of the password crackers that strips out the hash block and replaces it with its own. This damages the structure of your file.

Please see thefmkb.com/4829 for more details on that.

More broadly, your original concept is flawed, namely storing the password as a data element. That could easily be compromised, less easily now in FileMaker® Pro 11, but still doable.

Steven

Surely the password must be stored in the Filemaker database, where else could the password be? It stands to reason that the (Presumably Passware) tool is able to decrypt the password data in the fp7?

where else could the password be?

Nowhere.

http://en.wikipedia.org/wiki/Password#Form_of_stored_passwords

Surely the password must be stored in the Filemaker database....the (Presumably Passware) tool is able to decrypt the password data in the fp7?

No on both counts. The tool doesn't decrypt the password because the password isn't stored in the database or anywhere else.

Steven

Steven knows what he's talking about.

However, in this particular case, it appears the OP (not FMP) is storing passwords in the file. Which is a BAD IDEA.

PS:

You ever try to recover a lost password for a website? They usually just send you a link to reset the password. They don't tell you what it is. Because no one knows, it's not stored in a human-retrievable way.

It's a good idea to follow the same practice in your FMP development.

Edited by Guest

The password is in the database FILE (as in within the file itself, not as a record in the database), obviously hashed/encrypted in some way.

No system is completely hack/crack/foolproof, it stands to reason that the authors of the tool have been able to reverse engineer Filemaker's password storage system and reveal or otherwise overwrite the password.

I suspect the former, as I've used the tool previously and confirmed that it does indeed retrieve the password I set.

Was this tool used with FMP 6 and earlier databases?

Attached is a very simple file created in FMP 10.0v3 in Windows 7. Tell me what the full access password is.

If you get it open, tell me what word is on the layout.

I'm keen to know if these utilities can "recover" passwords.

Password.zip

I'm not sure if you were intending to reply to me or to the thread in general.

But the OP is storing passwords as rows in the db itself.

I could have the password typed in by the user saved in the staff table and also added to the filemaker permissions

Which makes getting said passwords much much easier.

Actually the OP said he was adding the password to the database table but also adding the user to the database accounts as well, and that in doing so he'd managed to lock himself out of the file.

My point is that storing passwords in rows is a bad idea.

What's your point?

the word is on the layout is "Open"

Ann

Ann, many thanks for taking the time to work on the file. Indeed "open" is the word.

What was the password that the cracker used?

No password...."the password crackers strips out the hash block and replaces it with its own".

Ann

Create an account or sign in to comment
Go to topic listing

Important Information

By using this site, you agree to our Terms of Use.

I accept

Account

Navigation

Search

Search

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.