AnsweredAssumed Answered

Security - who is hashing user passwords?

Question asked by NickLightbody on Feb 5, 2014
Latest reply on Feb 6, 2014 by NickLightbody

The recent FMI guidance on security raised the question for me of how best to deal with the main weakness - user passwords.

 

Since it is normal practice in most industrial systems to hash passwords I thought it would be fun to do the same thing in the Deskspace Very Useful Free App.

 

you can use this App freely here:

 

http://64.64.194.79/fmi/webd#dApp_v125h

 

 

There are two types of hashing, one way and two way and I suspect that hashing may mean slightly different things to different people.

 

My approach initially was to encode the password entered by the user into the password recognised by FileMaker.

 

Hence someone with knowledge of a user's account name and password cannot use credentials to directly access filemaker as the the password they have observed is not the one recognised by Filemaker.

 

The second step is not record any passwords in the user table - so the only record of the password required by the user is that sent to them in their credentials email - and if they forget it then the sysadmin merely runs the script to remove the original account, create a new one and send the correct new hashed password to the user. Hence the sysadmin never knows the user's password.

 

So, my question is - who else is interested in this area, who is doing this already, who thinks it is a waste of time etc.

 

I look forward to your contributions with great interest

 

Cheers, Nick

Outcomes