3 Replies Latest reply on Feb 22, 2013 9:54 AM by PSI

    Encrypt ESS Data Source Password

    user12837

      FileMaker does not provide a way to encrypt the password used to access an ESS datasource. (The excuse in the manual is particularly feeble, even for FileMaker.)

       

      Does anyone know of a workaround, so that a hacker who successfully logs in with full privileges can't use Manage External Data Sources to see ESS data source passwords?

       

      Thanks,

       

      Tom

        • 1. Re: Encrypt ESS Data Source Password
          taylorsharpe

          You can leave the password blank in the External Data Source so that users are prompted for a User ID and password to see the ESS data.  I know you are probably trying to avoid that, but it is the true security method of handling things.  Also, only have a couple of Full Access accounts that need to do development or admin work.  Make everyone else not have that ability to change External Data Sources since most people should not have this need.  And, of course, make strong passwords, especially for the Full Access accounts. 

           

          The reality is that FileMaker is almost never hacked and is not even subject to the most common database hacks, SQL injection attacks.  If someone "hacks" into your FileMaker account, I can pretty much guarantee you it was because of a weak password that someone guessed or an inside job.  Just search the internet and you won't find true hacks into FileMaker like you do most SQL databases.  Make sure to use FileMaker hosted on a server with encryption turned on and make sure to use the latest versions of FileMaker.  Checking the secure connection box on the server gives you a full AES 256 bit cipher of all database data, which right now is good up to the first level of Top Secret communicaiton for the US Government. 

          • 2. Re: Encrypt ESS Data Source Password
            DrewTenenholz

            Tom --

             

            Since the password box on ESS sources lets you use the entire calculation engine, I suppose you could use something like the free ScriptMaster Plugin, load up encryption functions, and create a calculation that decrypts a stored value.  Of course, protecting the decryption key becomes the next thing to worry about, but you could hide it pretty effectively if you want to.

             

            It seems like being able to use Windows SSO for authentication to the ESS Data source would be more secure, and it is an option.

             

            -- Drew Tenenholz

            • 3. Re: Encrypt ESS Data Source Password
              PSI

              Tom,

               

              I wouldn't worry to much about this.

               

              As Taylor said make your admin un/pw combinations strong. This limits the chance of someone guessing the account credentials.

               

              In order to 'Hack' the system they would need physical access to the files. You have control over this because you can lock down the server and also lock down the room the server is in and the building the room is in...Make sure you have a real firewall, sonicwall or cisco, not the $79 variety, to secure your network from outside attacks.

               

              Data is much easier to get at but that's a different story.

               

              John Morina

              PSI, Inc.

              CCQ-FM, Inc.