5 Replies Latest reply on Nov 14, 2012 10:12 AM by MarcMcCall

    Bypassing FileMaker Password Recovery

    NaturSalus

      Title

      Bypassing FileMaker Password Recovery

      Post

           Hello,

           The user account and password protection of Filemaker Pro products can be easily bypassed using products like: FileMaker Password Recovery. In the end, this program will find out all the user accounts of your FM project file and will replace their passwords by the ones of your choice.

           This is a reported and known issue by FMI. 

           Since removing the Admin account doesn't prevent your application from being opened and used by anyone that have a copy of your application and FileMaker Password Recovery , I was thinking of a way to bypass the ability of FileMaker Password Recovery to change the original passwords by new ones.

           So instead of using FM Pro built in login capabilities, what about creating a login script that requests the user account name and password and then checking whether the entered password is the same as the one provided to the buyer. 

           If the password entered by the user is equal to the password provided to the buyer then access is granted.

           However, if the password entered by the user (the one entered using FileMaker Password Recovery) is different from the password provided to the buyer then access is not granted and the application is closed.

           My question is

           ¿what are the pitfalls of this approach vs doing nothing and using FM Pro default login process?

           Thanks,

           natursalus

           P.D. I am still on FM Pro 11 Advanced till FM Pro 12.04 is released and proven reliable

            

        • 1. Re: Bypassing FileMaker Password Recovery
          philmodjunk

               You can certainly use Show Custom Dialog to open a dialog with a bullet character formatted input field for entry of such a password, but how then will you store it in your table so that your script can check the user's entered password against it to confirm correct data entry?

               It's also possible to examine the data stored in the file so a user might be able to isolate the password you've used for that purpose. I think there's an encription plug in that may enable you to store the value in encrypted form. I've played around with a simple "scramble" custom function and a companion "Descramble" function for a similar purpose but I was only trying to make the process of extracting a password a bit harder--the scramble algorithm wasn't anything terribly sophisticated.

          • 2. Re: Bypassing FileMaker Password Recovery
            NaturSalus

                 Hello Phil,

            You can certainly use Show Custom Dialog to open a dialog with a bullet character formatted input field for entry of such a password, but how then will you store it in your table so that your script can check the user's entered password against it to confirm correct data entry?

            The data introduced by the user will be captured by local variables and the value of the local variable holding the entered password will be compared to the control password stored in a field on a utility table.

            It's also possible to examine the data stored in the file so a user might be able to isolate the password you've used for that purpose. 

                 Unless I am wrong, FileMaker Password Recovery can't do it.

                  

                 Are you telling me that it is possible to gain access to the stored password without login through  a valid user account and password? If this is so what is the purpose of login set up, user account, user password and privilege sets?

                  

            I think there's an encription plug in that may enable you to store the value in encrypted form. I've played around with a simple "scramble" custom function and a companion "Descramble" function for a similar purpose but I was only trying to make the process of extracting a password a bit harder--the scramble algorithm wasn't anything terribly sophisticated.

            I thought about encryption sometime ago, but  encryption plugs  are expensive and increase project costs.

                 I guess my suggestion is not too crazy and certainly it is better than doing nothing and using FM Pro default login and "user account -- user password -- privilege set" strategy.

                 Thanks,

                 natursalus

            • 3. Re: Bypassing FileMaker Password Recovery
              MarcMcCall

                   Here is another issue to take into consideration,  I have personally had to hack into a solution to gain access to it that my customer had lost the admin credentials,  I used the passware password recovery tool.  It removes the passwords completely and creates a new "unprotected file"  i then opened filemaker and opened the script debugger and was able to bypass the script steps that had originally been used in a fashion you are describing (verifying the username and password).  My experience is the best way is to use an encryp plugin or custom function if you want to better protect it along with removing the admin controls if feasable.

                    

                   I have also been able to somehow achieve this by developing solutions partially on Mac and on windows and the password recovery tool didn't even recognize the  .fp7 file at all.  nighwing has a very good encryption system which i've also used that I haven't been able to crack.  http://www.nightwingenterprises.com/DataVaultMaker/

              • 4. Re: Bypassing FileMaker Password Recovery
                NaturSalus

                     Hello Marc,

                     Thank you for the insight from the hacker point of view.wink

                     Now I see how feeble are FM Pro default security settings. 

                     It seems that an encrypting /decrypting custom function is a must.

                     natursalus

                • 5. Re: Bypassing FileMaker Password Recovery
                  MarcMcCall

                       It's not just Filemaker pro.  Pretty much every program on the market made has been hacked.  I've seen software out there that's priced at over $30,000 hacked in a matter of minutes.  Until there are no more people out there that don't want to pay for something and have knowledge of programing there will always be a someone out there able to crack it.  The only thing you can really do is slow them down or deter them.