1 2 Previous Next 16 Replies Latest reply on Sep 9, 2015 2:57 PM by jbante

    How do you all verify the strenght of your passwords?

    user16545

      Hi All,

       

      Which script steps do you all use to verifiy the strenght of passwords?
      The length check is obvious.

      But with which script step do you check whether the password contains special characters, numbers and Uppercase characters?

       

      And which script step do you use for one-way hashing before you store your passwords?

       

      Thanks

        • 1. Re: How do you all verify the strenght of your passwords?
          coherentkris

          It is not good practice to store passwords in a record in FileMaker because its difficult, at best, to protect the data from exposure. You should use filemakers built in security for passwords

          • 2. Re: How do you all verify the strenght of your passwords?
            user16545

            Hi Coherentkris,

             

            we have a 100% webdirect application, used by different organizations.

            These organizations want to maintain users and access rights.


            They add accounts in the application.
            The application creates / changes the Filemaker accounts with the 'Account' scriptsteps.

            Do you see an alternative in this situation?

             

            Thanks

            • 3. Re: How do you all verify the strenght of your passwords?
              electon

              Creating Password Strength Meter

              Some info there above somewhat related to filemaker.

               

              Possibly a Javascript Library in a web viewer.

              Strength.js

               

              Thing is Javascript does better in regex / pattern matching than Filemaker at this moment.

              • 5. Re: How do you all verify the strenght of your passwords?
                user16545

                Would you use PatternCount?
                If so - how can we compare a password with a range of Special characters, Uppercase characters or numbers?

                • 6. Re: How do you all verify the strenght of your passwords?
                  DrewTenenholz

                  Grr... this new system shows I made a reply (by email) but doesn't show the content.....

                   

                   

                  At 8:45 AM -0700 9/8/15, user16545 wrote:

                  And which script step do you use for one-way hashing before you store your passwords?

                   

                  You can use the FREE 360Works ScriptMaster plugin to do this.  Download the demo and look for the hashing functions they demonstrate.  You can transfer one into your solution for use with your system as long as you make sure to install the plugin in the correct folder on the server for web publishing.  (See their instructions for accurate information).

                   

                  If you do this, you will actually be double-hashing: the plug-in does the first hash, then FileMaker itself hashes that result for storage within File>Manage>Security.

                   

                  If this is the route you are taking, do you need to store the user's password in a record at all?  I often have a 'users' table with account name and real name, but I don't store the user's password in that record, I let FileMaker's built-in security store it and use 'Account' script steps to reset the password, but I never have the password in a database record.  I use global fields to capture the password entered and do the validation, then follow up that with the 'Create Account' process.

                   

                  As for trying to get the users to use passwords that are less-prone to brute-force attacks. It should be easy enough to 'require' the inclusion of case-sensitive text using Exact() with Upper() and Lower() to confirm.  Similarly, inclusion of 'special' characters can be confirmed with Filter().

                   

                  My own personal preference is that, whatever you require, you make it clear to the person creating the password BEFORE you validate.  I dislike coming up with what I think is a fairly good password only to find out that the system I'm working with wanted something else.

                   

                  -- Drew Tenenholz

                  • 7. Re: How do you all verify the strenght of your passwords?
                    DavidJondreau

                    Sure. Don't store passwords. You can create accounts, reset passwords, do all that without storing a password in the database itself. A lot of commercial websites do that now. "I can't tell you your password, I can just reset it." Of course, they're storing the hash, which is what you want to do. But the only reason I can see you wanting to store a hash in FM is to reverse it.

                    Use a script to do the following:

                    Grab the password into a global field.

                    Set a local variable to the global field.

                    Clear the global field.

                    Check the local variable for strength

                    If it passes, use the Account script steps using the local variable.

                     

                     

                    >If so - how can we compare a password with a range of Special characters, Uppercase characters or numbers?

                     

                    Let( [

                    password = $password ;

                    alpha = "abcdefhijklmnopqrstuvwxyz" ;

                    digits = "0123456789" ;

                    special = "!@#$%^&*()" ;

                    min.length = 8 ;

                     

                    has.length = length ( password ) ≥ min.length ;

                    has.special = PatternCount ( password ; special ) ;

                    has.number = PatternCount ( password ; digits ) ;

                    has.letter = patternCount ( password ; alpha ) ;

                    has.upper = has.letter and not Exact ( password ; Lower ( password ) ) ;

                    has.lower = has.letter and not Exact ( password ; Upper ( password ) ) ;

                     

                    result = has.length and has.special and has.number and has.letter and has.upper and has.lower

                    ] ;

                    result

                    )

                    • 8. Re: How do you all verify the strenght of your passwords?
                      CICT

                      Hi

                       

                      We have our own user HR module built into our solutions to add, amend and delete user accounts. Part of this includes a password complexity system that uses a single 'config' record to stipulate minimum length, upper/lower case, special characters then a custom function that references these to produce a true or false result - using PatternCount within a script would also work fine referencing ASCII codes.

                       

                      Each user can have a temporary password issued, then when they log in for the first time using this, a startup script locates their HR record (based on their account name - ensure the find is an exact find) and checks whether a flag exists that would prompt them to change the temporary password. A scripted dialogue box allows them to enter their password twice and is checked that it meets the complexity rules and loops until it conforms (positive result from the custom function). The script then progresses to set that user's password using the 'Change Password' script step, then erases the password from any records and removes the change password flag from their HR record.

                       

                      Our solutions are run worldwide using data separation, so we don't usually get to talk to the users, hence the introduction of the above.

                       

                      Hope this helps

                       

                      Andy

                      • 9. Re: How do you all verify the strenght of your passwords?
                        DLarsen

                        If you're in the right situation you can use external authentication and let the OS enforce password complexity. It's also nice because you don't have to setup an account for each user nor to they have to enter their credentials when they open Filemaker. FM knows who they are when they log onto their computer,

                        • 10. Re: How do you all verify the strenght of your passwords?
                          CarstenLevin

                          There are different business rules for different situations.

                          While I do agree that in most cases you should not store passwords, this is not always the only truth.

                          When people say "never" or "always" you should consider contradicting them!

                          "Wenn ich das Wort "nie" oder "immer" höre entsichere ich meinen Tastatur" . Sorry if my grammar is not ok and for misusing this dubious quote

                           

                          The point is always: Why, where, how ...

                           

                          and in some cases storing the pw is indeed OK

                          • 11. Re: How do you all verify the strenght of your passwords?
                            electon

                            External authentication is nice but true single sign-on works only on Windows.

                            OSX, you need to use the keychain.

                            Also you can't script managing external accounts / passwords via Filemaker security system.

                            I wish it would at least let the user change the password while leaving enforcement to the controller.

                            Could also be the case different users use the same machine and just re-login to the solution to pick up where others left off.

                            • 12. Re: How do you all verify the strenght of your passwords?
                              user16545

                              To all respondents,

                               

                              thank you all for your replies, especially DavidJondreau.
                              I myself am less in favour of using plugins or java in webviewers.
                              I think that's unnecessarily complicated

                              I will try to implement Davids solution.

                              • 13. Re: How do you all verify the strenght of your passwords?
                                user16545

                                Hi David,

                                 

                                it costs me some trouble to implement your script steps.

                                 

                                I put the entered password in a $password variable and delete the entered password.

                                 

                                 

                                I am not very familiar with the 'let' command.
                                I never use it.

                                 

                                It is not a script step.
                                Should I include the Let command in a field value ?

                                 

                                No knowing this, I replaced your Let command by variables like $digits.
                                However, $password is for instance Welcom1234 the patterncount ($password; $digits) results in a value 0.
                                Can you point out what I do wrong?

                                 

                                Thanks!

                                 

                                 

                                 

                                 

                                picture.png

                                • 14. Re: How do you all verify the strenght of your passwords?
                                  user16545

                                  Hi All,

                                   

                                  unfortunately I had to un-mark David's answer as correct.
                                  Still David put me on a trail to the correct answer.

                                   

                                  As you can read above the PatternCount did't quite do the job and the reason is (now at least) obvious, why not.

                                  PatternCount counts how many times a string is included in the password.
                                  If the reference string is "01234567890" the answer is only 1 (True) if the entered pasword is "01234567890" as well.

                                  And that is not what we want.
                                  We want to ensure that the password has at least 1 digit or 1 special character etc.

                                  To achieve that we must use FILTER not PATTERNCOUNT.

                                   

                                  This routine works fine for me now:

                                   

                                  Set Variable [$password; Value: User::PasswordNew]

                                  Set Field [User::PaswordNew; ""]       -     to remove any password information from the Filemaker database

                                  Commit

                                   

                                   

                                  Set Variable [$passwordcheck; Value:

                                  Let( [

                                  password = $password ;

                                  alpha = "abcdefhijklmnopqrstuvwxyz" ;

                                  digits = "0123456789" ;

                                  special = "!@#$%^&*()?><:';/\][{}" ;

                                  minlength = 10 ;

                                   

                                  haslength = Length ( password ) ≥ minlength ;

                                  hasspecial = If ( Filter ( password ; special ) = "" ; 0 ; 1 ) ;

                                  hasnumber = If ( Filter  ( password ; digits ) = "" ; 0 ; 1);

                                  hasletter = If ( Filter ( password ; alpha ) = "" ;0 ;1 );

                                  hasupper = hasletter and not Exact ( password ; Lower ( password ) ) ;

                                  haslower = hasletter and not Exact ( password ; Upper ( password ) ) ;

                                   

                                  result = haslength and hasspecial and hasnumber and hasletter and hasupper and haslower

                                  ] ;

                                  result

                                  )

                                   

                                  If [$passwordcheck = 0]

                                       Enter here your message that password quality is NOT OK
                                       Exit script

                                  Else

                                       Enter your message that password quality is OK

                                       Reset Account Password [Account Name: User::UserName; New password: $password]

                                       Set Variable [$password; ""]

                                  End

                                   

                                  Thanks again David for your input.

                                  1 2 Previous Next