grandwheatgrass Posted April 14, 2010 Posted April 14, 2010 SO, I'm working on a database where the staff permissions are controlled by filemaker. I've set up a pretty sweet database and then I was automating an account password change dialog (with dialogplugin) so that I could have the password typed in by the user saved in the staff table and also added to the filemaker permissions. When I ran the script for the first time I changed my password and a dialog box (that I had set up) came up saying that my old password didn't match the old password in the FileMaker accounts. Now when I try to login to make changes to my database I am locked out of making changes (because only my user was authorized to make changes). I know this defeats the purpose of permissions and security, but is there a way to recover a lost password when you don't have permissions to edit anything? I don't want to have to recreate this database because I was stupid enough to lock myself out. Thanks for any help.
grandwheatgrass Posted April 14, 2010 Author Posted April 14, 2010 Never mind. Sorry for wasting a post. I found a shareware application the recovered my password.
Steven H. Blackwell Posted April 15, 2010 Posted April 15, 2010 Since real FIleMaker passwords are not stored in FileMaker Pro files, I don't know what you recovered. Likely this was one of the password crackers that strips out the hash block and replaces it with its own. This damages the structure of your file. Please see thefmkb.com/4829 for more details on that. More broadly, your original concept is flawed, namely storing the password as a data element. That could easily be compromised, less easily now in FileMaker® Pro 11, but still doable. Steven
PotzUK Posted April 16, 2010 Posted April 16, 2010 Surely the password must be stored in the Filemaker database, where else could the password be? It stands to reason that the (Presumably Passware) tool is able to decrypt the password data in the fp7?
comment Posted April 16, 2010 Posted April 16, 2010 where else could the password be? Nowhere. http://en.wikipedia.org/wiki/Password#Form_of_stored_passwords
Steven H. Blackwell Posted April 16, 2010 Posted April 16, 2010 Surely the password must be stored in the Filemaker database....the (Presumably Passware) tool is able to decrypt the password data in the fp7? No on both counts. The tool doesn't decrypt the password because the password isn't stored in the database or anywhere else. Steven
David Jondreau Posted April 16, 2010 Posted April 16, 2010 (edited) Steven knows what he's talking about. However, in this particular case, it appears the OP (not FMP) is storing passwords in the file. Which is a BAD IDEA. PS: You ever try to recover a lost password for a website? They usually just send you a link to reset the password. They don't tell you what it is. Because no one knows, it's not stored in a human-retrievable way. It's a good idea to follow the same practice in your FMP development. Edited April 16, 2010 by Guest
PotzUK Posted April 19, 2010 Posted April 19, 2010 The password is in the database FILE (as in within the file itself, not as a record in the database), obviously hashed/encrypted in some way. No system is completely hack/crack/foolproof, it stands to reason that the authors of the tool have been able to reverse engineer Filemaker's password storage system and reveal or otherwise overwrite the password. I suspect the former, as I've used the tool previously and confirmed that it does indeed retrieve the password I set.
Vaughan Posted April 19, 2010 Posted April 19, 2010 Was this tool used with FMP 6 and earlier databases?
Vaughan Posted April 19, 2010 Posted April 19, 2010 Attached is a very simple file created in FMP 10.0v3 in Windows 7. Tell me what the full access password is. If you get it open, tell me what word is on the layout. I'm keen to know if these utilities can "recover" passwords. Password.zip
David Jondreau Posted April 19, 2010 Posted April 19, 2010 I'm not sure if you were intending to reply to me or to the thread in general. But the OP is storing passwords as rows in the db itself. I could have the password typed in by the user saved in the staff table and also added to the filemaker permissions Which makes getting said passwords much much easier.
PotzUK Posted April 19, 2010 Posted April 19, 2010 Actually the OP said he was adding the password to the database table but also adding the user to the database accounts as well, and that in doing so he'd managed to lock himself out of the file.
David Jondreau Posted April 19, 2010 Posted April 19, 2010 My point is that storing passwords in rows is a bad idea. What's your point?
Vaughan Posted April 19, 2010 Posted April 19, 2010 Ann, many thanks for taking the time to work on the file. Indeed "open" is the word. What was the password that the cracker used?
librone Posted April 20, 2010 Posted April 20, 2010 No password...."the password crackers strips out the hash block and replaces it with its own". Ann
Recommended Posts
This topic is 5332 days old. Please don't post here. Open a new topic instead.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now