I'm stupid. Password recovery Help

[grandwheatgrass]

SO, I'm working on a database where the staff permissions are controlled by filemaker. I've set up a pretty sweet database and then I was automating an account password change dialog (with dialogplugin) so that I could have the password typed in by the user saved in the staff table and also added to the filemaker permissions.

When I ran the script for the first time I changed my password and a dialog box (that I had set up) came up saying that my old password didn't match the old password in the FileMaker accounts. Now when I try to login to make changes to my database I am locked out of making changes (because only my user was authorized to make changes).

I know this defeats the purpose of permissions and security, but is there a way to recover a lost password when you don't have permissions to edit anything? I don't want to have to recreate this database because I was stupid enough to lock myself out.

Thanks for any help.

[grandwheatgrass]

Never mind. Sorry for wasting a post. I found a shareware application the recovered my password.

[Steven H. Blackwell]

Since real FIleMaker passwords are not stored in FileMaker Pro files, I don't know what you recovered. Likely this was one of the password crackers that strips out the hash block and replaces it with its own. This damages the structure of your file.

Please see thefmkb.com/4829 for more details on that.

More broadly, your original concept is flawed, namely storing the password as a data element. That could easily be compromised, less easily now in FileMaker® Pro 11, but still doable.

Steven

[PotzUK]

Surely the password must be stored in the Filemaker database, where else could the password be? It stands to reason that the (Presumably Passware) tool is able to decrypt the password data in the fp7?

[comment]

where else could the password be?

Nowhere.

http://en.wikipedia.org/wiki/Password#Form_of_stored_passwords

[Steven H. Blackwell]

Surely the password must be stored in the Filemaker database....the (Presumably Passware) tool is able to decrypt the password data in the fp7?

No on both counts. The tool doesn't decrypt the password because the password isn't stored in the database or anywhere else.

Steven

[David Jondreau]

Steven knows what he's talking about.

However, in this particular case, it appears the OP (not FMP) is storing passwords in the file. Which is a BAD IDEA.

PS:

You ever try to recover a lost password for a website? They usually just send you a link to reset the password. They don't tell you what it is. Because no one knows, it's not stored in a human-retrievable way.

It's a good idea to follow the same practice in your FMP development.

Edited April 16, 2010 by Guest

[PotzUK]

The password is in the database FILE (as in within the file itself, not as a record in the database), obviously hashed/encrypted in some way.

No system is completely hack/crack/foolproof, it stands to reason that the authors of the tool have been able to reverse engineer Filemaker's password storage system and reveal or otherwise overwrite the password.

I suspect the former, as I've used the tool previously and confirmed that it does indeed retrieve the password I set.

[Vaughan]

Was this tool used with FMP 6 and earlier databases?

[Vaughan]

Attached is a very simple file created in FMP 10.0v3 in Windows 7. Tell me what the full access password is.

If you get it open, tell me what word is on the layout.

I'm keen to know if these utilities can "recover" passwords.

Password.zip

[David Jondreau]

I'm not sure if you were intending to reply to me or to the thread in general.

But the OP is storing passwords as rows in the db itself.

I could have the password typed in by the user saved in the staff table and also added to the filemaker permissions

Which makes getting said passwords much much easier.

[PotzUK]

Actually the OP said he was adding the password to the database table but also adding the user to the database accounts as well, and that in doing so he'd managed to lock himself out of the file.

[David Jondreau]

My point is that storing passwords in rows is a bad idea.

What's your point?

[librone]

the word is on the layout is "Open"

Ann

[Vaughan]

Ann, many thanks for taking the time to work on the file. Indeed "open" is the word.

What was the password that the cracker used?

[librone]

No password...."the password crackers strips out the hash block and replaces it with its own".

Ann

[Vaughan]

Thanks Ann.