1 of 1 people found this helpful
It is stored inside the database file.
As for your "security concerns" (you don't say what they are), I can't tell you "how secure" it is. I've never seen a tool that can recover ODBC login credentials, but that doesn't mean one doesn't exist. If you're concerned about it, you can always use the encryption at rest feature, which should make it awfully hard to crack.
But putting the database on the server and restricting access to that is a really good start, since keeping grubby (or malicious) paws off the database file is a really important security fundamental. And restrict the [Full Access] account carefully (change the default account name to something other than "Admin" and put a strong password on it).
Thanks for the quick response. Very helpful already. And it seems the best-case scenario has users only accessing the db via FMP server. In this case I'm using databases that are not, so it's conceivable someone does indeed get access to the actual db file. Are those credentials, when stored in the database, encrypted?
The short answer is I don't know.
FileMaker automatically obscures the data in the database file with a week encryption. However it doesn't meet many of the basic security standards that are in force today. Passwords for FileMaker accounts are not stored in the database; they are hashed and the hash is stored. I do not know about ODBC external source credentials, however; because those are used to log into an external database they might not be able to be hashed.
So if you want to be sure that the passwords are encrypted then you should use the at rest encryption feature in FileMaker 13.
Furthermore, most of the hacks that attack FileMaker security depend on access to the actual physical file. If you're concerned about security I would suggest using the encryption at rest feature regardless of whether you're accessing external sources or not. If you can, remove developer access from the file before you deploy it for better security.
Question about the second: where/how does FMP store the user name & password entered? In the database? On the server computer? How secure is this option? It would be a great convenience to use, but security concerns prevail.
Not in the database in any data table. A FM file is one file that holds the database (tables, records) and all the schema (layouts, scripts, accounts,...).
So it is in the file but not in a data table.