6 Replies Latest reply on Apr 7, 2014 1:17 PM by taylorsharpe

    FM Server 13 and storage of passwords

    carlsson

      I read somewhere that Filemaker Server 13 have even better encryption storage than previous versions.

       

      Can we assume it's safe to store important info, such as passwords, in the databases?

       

      I know that there are some third party plugins for this, but if it's working out of the box it's even better.

       

      Any thoughts on this?

        • 1. Re: FM Server 13 and storage of passwords
          coherentkris

          I would say its never completely safe to store authentication crredentials in a table and I dont believe that the new encryption at rest functionality would significantly change that opinion. I say let Filemaker security system do the hard work for you and leverage aciive/open directory services whenever possible.

          • 2. Re: FM Server 13 and storage of passwords
            Mike_Mitchell

            I agree with Kris. FileMaker doesn't even store passwords in the file (they store only a hash). It's not a good practice to store a complete set of credentials together in one place, ever.

            • 3. Re: FM Server 13 and storage of passwords
              wimdecorte

              carlsson wrote:

               

               

               

              Can we assume it's safe

               

              You can never assume that about anything, really.

               

              It's still data, it will still be used in its unecrypted form, people can still guess / find out the master account and ecnryption key to your database and then get a wealth of other accounts to exploit.

               

              If these are passwords for access to your FM solution: I'll second what coherentKris is saying: stick the FM security schema and don't roll your own.

              If it is other data: do a risk evaulation, once you figure out what it would cost you (legal, reputation,...) if all your data was stolen you will have an idea of what budget you have to put security measures in places to mitigate that risk.

              • 4. Re: FM Server 13 and storage of passwords
                carlsson

                Thanks for the input guys.

                 

                The solution that I'm trying to do will store passwords to different services on the net etc, and it will be used by a workgroup consisting of about five people.

                 

                The Password to the solution itself is at least eight characters long and assumed to be "safe".

                 

                If Filemaker is not safe enough, what should we use?

                • 5. Re: FM Server 13 and storage of passwords
                  Vyke

                  There isnt much you can do there other than salt/hash the passwords yourself so that they cant be read directly. But then, you have the issue of them being able to use the passwords for anything useful.

                  • 6. Re: FM Server 13 and storage of passwords
                    taylorsharpe

                    Part of password protection is physical control of the actual file at the OS level.  Otherwise programs like www.password-service.com/filemaker-password-recovery.php may be able to hack your passwords. 

                     

                    If you must store passwords in a table, make sure you use a good encryption cipher.  But it is generally not recommended, particularly if you are not using the secure client-server connection.  Monkey Bread Software has some nice AES or Blowfish algogrythms for you to use if you want to additionally store the password encrypted at rest. 

                     

                    If you have a server and have turned on security in the admin console, you are fairly well protected with SSL and AES 256 bit cipher. 

                     

                    I also make use of two factor authentication so that the startup script checks your persistent ID and if it is not already approved hardware, then they will have to receive an email or text message with a code to authenticate that hardware in addition to the FileMaker User ID and password.  This works much better than telling people to make real long passwords, for which  most people find very annoying.