We have contracted with an outside vendor to do some data management for us and we are assessing the level at which they are protecting our data. We do not have any FileMaker Pro or encryption experts on staff, so I'm turning to EE.
So far we have determined that the vendor is storing (and making publicly available per necessity) a CD containing a FileMaker Pro database (currently fp7 but I upgraded it to fmp12 easily). The database is password protected but a cheap $30 hack tool found what appears to be a non-admin account username and password. Their database appears "protected" by a startup script, but my understanding is that anyone with FMP Adv can bypass that script. I wasn't able to block the script with FMP.
Either way, by creating a new database and using relationships, I have been able to extract what appears to be all of the fields in the database into an excel file. While most fields are plain text, we know the critical few fields are protected with 56-bit Blowfish encryption. Obviously a hacker would have no direct way of knowing the key.
My question to the hackers out there - how safe is 56-bit blowfish encryption? With modern desktop computing power, and 100,000+ records in the file, each with several encrypted fields, wouldn't even a brute force attack by a novice hacker be able to decrypt the file within hours or at most a few days? I thought 56-bit went out in the late 90s.
The data isn't super sensitive but we still don't want it easily hacked. How secure do you experts feel a start up script, password protected FileMaker Pro database is using 56-bit blowfish encryption at the field level. Would someone be able to use FileMaker Pro Adv to block the startup script, view the script source and find the encryption key? I assume the key must be stored in the database somewhere, or can FileMaker Pro files be compiled to make the information hidden? Would you be comfortable having your data protected in this way?
Thank you for your help.