8 Replies Latest reply on Jan 12, 2014 10:37 AM by wimdecorte

    Password Vulnerability (FullAccess) (. Fmp12)

    Draco

      Hi,

      With Passware (us$39), I can get any ps (FullAccess), and enter the application.
      I can avoid this ?, ..preserves the property to code.

       

      http://www.lostpassword.com/filemaker.htm

       

       

      ###############################################################

      FileMaker Key removes password protection from

      FileMaker (FMP12, FP7, FP6, FP5, FP4, FP3) databases.

       

      The product indicates a restriction:

      Limitations

      • Databases protected with FileMaker Developer Tool are not supported

       

      ==> What is meant by this.

       

      ###############################################################

       

      To me this is a weakness of FM. When distribute my app.

      I created scripts to control the start of my app. But with the debugger SYSER, even this can be skipped.

       

      It is possible to give our "solutions" an optimal level of security. ?
      :-(
        • 1. Re: Password Vulnerability (FullAccess) (. Fmp12)
          BowdenData

          Hi,

           

          There is an option in FMP Advanced Developer tools/utilities that will save a file WITHOUT a master password. This is what they mean. This is a one way street in that once you save a dB with this option, you can never modify that particular file. If you use this function, you would always want to keep your own "master" copy of your solution and just strip it of the master password before sending it to a client, etc.

           

          This is also where the new function in FMP13 to fully encrypt a database file, comes in. I notice that the company does not say anything about FMP13 encrypted files. In the FM product briefings before FMP13 was released, this subject came up. Although there was no definitive answer from FMI, the consensus was that encrypted files would not be susceptible to these password tools.

           

          One final note about the tool. Starting with FMP7 (I think), the tool did not just reveal the master password in the file, but rather replaced it with string of text that they showed you. They were editing the file itself. I found that this would sometimes corrupt the file. In other cases where the file contained more than one account/password with Full Access, the tool would sometime choke and render it useless.

           

          Doug

          • 2. Re: Password Vulnerability (FullAccess) (. Fmp12)
            filemaker@i-absolute.com

            Using FMP12 or greater you can implement an online system activation with the InsertFromURL function in combination with FileMaker Server or other DBs published via PHP.

             

            Fabio

            • 3. Re: Password Vulnerability (FullAccess) (. Fmp12)
              Draco

              in FMP Advanced Developer tools/utilities that will save a file WITHOUT a master password.

              The problem is the maintenances:
              . 1 - To make changes, I must always import (to app with password.)
              . 2 - Create app. without password. uuufffffff ....

              This is not optimum, the optimal solution is the impossibility of discovering the key. (without having to encrypt the Entire file.).
              :-)

              • 4. Re: Password Vulnerability (FullAccess) (. Fmp12)
                Draco

                with syser apparently can stop script steps, and skip this validation.

                • 5. Re: Password Vulnerability (FullAccess) (. Fmp12)
                  Mike_Mitchell

                  Doug is correct. These tools do not actually fetch the master account password. (Since the password isn't stored in the file; only a hash is.) They just remove it and grant access, modifying the file in the process (which is, well, dangerous).

                   

                  But - and this is important - they only work if the person has a physical copy of the file. If you host the file using Server and the users don't have access to it (such as through a server you provide or through a hosting service), this vulnerability doesn't exist.

                   

                  Mike

                  • 6. Re: Password Vulnerability (FullAccess) (. Fmp12)
                    wimdecorte

                    Draco wrote:

                     

                    The problem is the maintenances:
                    . 1 - To make changes, I must always import (to app with password.)
                    . 2 - Create app. without password. uuufffffff ....

                     

                    Convenience and Security do not go hand in hand.

                    #2 is clearly not an option

                    #1 takes some work but is entirely do-able.  Does it take extra work: sure.  But at least it will be secure.

                    • 7. Re: Password Vulnerability (FullAccess) (. Fmp12)
                      Draco

                      -> Obviously, the problem is with those who have physical access.

                      -> ex: a client hires a third party to obtain the master key.

                       

                      Regard

                      • 8. Re: Password Vulnerability (FullAccess) (. Fmp12)
                        wimdecorte

                        Replied in the other thread: https://fmdev.filemaker.com/message/135776#135776

                         

                        The tools are there as explained in this thread and the other one.