12 Replies Latest reply on Aug 19, 2016 7:21 AM by DavidJondreau

    Lock out after 3 failed password attempts

    user447

      Is there a setting or script to force FileMaker to Quit after three failed password attempts?

      Thanks!

        • 1. Re: Lock out after 3 failed password attempts
          coherentkris

          not for regular FMP log on.

          You would have to build a scripted process for log on.

          Its difficult at best and can be prone to security issues if you are not an expert

          • 2. Re: Lock out after 3 failed password attempts
            fitch

            No. You could make a script, but that would require the user to already be logged in, which I'm guessing would sort of defeat your whole purpose.

            • 3. Re: Lock out after 3 failed password attempts
              philipHPG

              You can set this up. Have the system auto-login to a very limited account (it only has access to the startup script). Then, in the startup script, prompt for the username and password and attempt to login. Allow three attempts before exiting the application.

              • 4. Re: Lock out after 3 failed password attempts
                fitch

                philipHPG yes but that's easily defeated by holding down option (Mac) or shift (Windows) so it would be security theater at best.

                • 5. Re: Lock out after 3 failed password attempts
                  philipHPG

                  fitch yes, holding down option or shift while opening the file would still allow the user an unlimited number of attempts at signing in.

                  • 6. Re: Lock out after 3 failed password attempts
                    coherentkris

                    designing an erstatz security system is like whack-a-mole

                    • 7. Re: Lock out after 3 failed password attempts
                      DavidJondreau

                      I think there's a difference between what S Blackwell calls ersatz security and what the OP is asking for. The user isn't storing passwords in filemaker or relying on this to secure the database. I assume they're just looking to make hacking a little more annoying. After all, a user can simply re-open FileMaker if the application exits.

                       

                      You can bypass the the "option" by exiting the application if the login script doesn't run under the default account. It's not impossible, but pretty difficult to add a 100% rock solid layer "on top of" (not "instead of") FM's native login. A user with a valid user/pass can access the data in a file and do what their privileges allow if they're clever enough  without regards to scripts or layouts.

                       

                      It takes careful crafting access privileges and scripts to prevent that. So much that it's only theoretical (I've never seen it successful in practice).

                      • 8. Re: Lock out after 3 failed password attempts
                        fitch

                        @David yes but again -- the user will never get to that startup script until they get past the login dialog, which has meanwhile NOT quit the app after 3 attempts.

                         

                        Now WebDirect or FM Go is a different story... I don't think the user there has a way to force the login dialog to appear, so presumably you can rely on the startup script to run under a default login. Web usage is really more where you'd worry about this kind of attack. And I presume the concern here is some kind of attack, not just shaming your users.

                        • 9. Re: Lock out after 3 failed password attempts
                          DavidJondreau

                          Sure, they can try multiple times, but you can have the opening script run an Exit App (and/or Delete Account/Change Password) if they succeed when bypassing the default account. Or a handful of other options depending on the use case.

                           

                          We can go back and forth all day, but without more input from the OP, I don't see the point.

                          • 10. Re: Lock out after 3 failed password attempts
                            CarstenLevin

                            I hope you have read the other comments. I would in no way ever let the user into a solution with guest* credentials, even with the most limited set of permisions. It could probably be done in a secure way, but even the smallest error could cause you problems.

                             

                            FileMaker* should probably add an even better set of settings regarding passwords/credentials, and will probably do so one day. Including X-strikes-and you are out. I believe it is 5-strikes-and-you-are-out as it is now. Is that not good enough for you?

                             

                            The three-strikes-and-you-are-out is important, then start like this:

                            • Make all your files invisible "Don't display in Launch Center". You should already have set the server to only show files permitted by your password.
                            • Create an empty file with no data, no access to anything. Consider a guest login as default. Only two global fields available. A script that will try to log in to your real start file based on the login/pw written in the global fields. Close file/window or even exit application (consider whether this is a good idea) on third attempt.

                             

                            But remember anything you add to/build replace FileMakers very secure security module with can compromise security if you fail!

                             

                            *It can be OK to have guest login active in some specific cases. Presentation/Kiosk/Info systems, open WebDirect solutions for "unknown" users etc. etc. as long as you understand what you are doing.

                            • 11. Re: Lock out after 3 failed password attempts
                              coherentkris

                              But arguing between ourselves is the best part of this forum...

                              • 12. Re: Lock out after 3 failed password attempts
                                DavidJondreau

                                I disagree.

                                 

                                 

                                (That was a very dry joke)