11 Replies Latest reply on Aug 14, 2014 10:59 AM by joyce

    Setting up login passwords that expire

    joyce

      Recently our agency had an audit on the functions of our FM database. Although entering the database requires a login password to access it by the user, the password does expired after so many days (60) or require a specific number of characters or exclude the availability for the same password to be reused.

       

      Has any one written or know of a written script that could be used to meet the requirement of a users password prompting for change after maybe 55 days and expiring after 60; the password that was used cannot be used for ten (10) consecutive uses and has to be at least eight (8) characters?

       

      This is my first post. I am a novice developer so be kind, please. Thanks for any help anyone can provide.

       

      Joyce

        • 1. Re: Setting up login passwords that expire
          Stephen Huston

          As far as the requirement to change PW every 60 days, and to set the minimum length to 8 characters or more, those are built into FileMaker's Manage Security settings under the definition of the permission group. (see attached screenshot of the settings screen)

           

          You can script to process separately for changing passwords to include tests for length, contained characters, etc., but tracking past passwords for comparison within the FM tables directly would actually be a serious weakening of FM's security, as those passwords could be exposed in various ways that live passwords cannot in FM.

          • 2. Re: Setting up login passwords that expire
            sicosys

            Hi There!!

             

            Are you talking about a user name and password database (as part of your database)  to grant acces to diferent areas of your application?

             

            Or you are taking about the FM security  Stephen talked about?

             


            Felipe

            • 3. Re: Setting up login passwords that expire
              Mike_Mitchell

              Stephen is right about storing previously-used passwords. You can mitigate it somewhat by employing a hash algorithm, but it's still a risk. When I wrote the security policy for FileMaker here, I simply requested an exemption from the history requirement rather than introduce the possible weakness. Maybe that might work for you.

               

              Mike

              • 4. Re: Setting up login passwords that expire
                joyce

                Thank you Stephen for such a quick response!  I looked at the "Privilege Set" and true some of what I need is there; however, it's grayed out.  I am in a group that has full privilege, but it's all grayed.  What should I do?  Joyce

                • 5. Re: Setting up login passwords that expire
                  joyce

                  FM Security that Stephen talked about.

                   

                  Joyce

                  • 6. Re: Setting up login passwords that expire
                    joyce

                    Thanks Mike...

                     

                    I may have to give your idea of requesting that exemption a whirl.  Thank you.

                     

                    Joyce

                    • 7. Re: Setting up login passwords that expire
                      wimdecorte

                      There is an easy solution: use External Authentication.  Then the accounts (and pws) are managed in the Directory Service (Active Directory or Open Directory) and expiry can be managed there, outside of FMS.

                      • 8. Re: Setting up login passwords that expire
                        taylorsharpe

                        +1 for Wim's suggestion to use External Authentication.  Those services are designed to comply with all types of strange password policy requirements beyond what FileMaker security includes.  But most of all, I love handing off my client's authentication of staff to Active Directory so that someone else handles resetting passwords... which is about the least favorite thing for me to do.  This also removes FileMaker as being its own security island so that another service can coordinate all User IDs and passwords for many services beyond just FileMaker, thereby making a single source of authentication control.  This is very important to medium to large companies that need to know how to add or remove employees for all databases at the company from one directory service and not have to trace down and update a lot of different services when employees change (e.g., easy to fire an employee and remove his access to everything quickly). 

                        • 9. Re: Setting up login passwords that expire
                          Stephen Huston

                          Whoever is in the true [Full Access] group has no restrictions on them.

                           

                          You can duplicate the Full Access permission set, and edit that copy as needed, and set the requirements there.

                           

                          However, at least one account must remain in the real [Full Access] group in order to manage the permissions setup (among other possible limitations placed on the edited copy of that set).

                          • 10. Re: Setting up login passwords that expire
                            joyce

                            Thanks Stephen.... I just discovered that with my "no delete" group.  So I'll do that with the "full access" group as well.  This ALL has been most helpful and a great experience for a "newbie".

                             

                            Kindest regards!!

                            Joyce

                            • 11. Re: Setting up login passwords that expire
                              joyce

                              Thanks Taylor.  I can see where that would be ideal for a medium to large entity; however, our agency is a very small Board and have to manage some things ourself.  We don't have our own server; but if we did, the Active Directory would be the best solution for sure.

                               

                              Sincerely,

                              Joyce