General questions about using Fund Manager that do not fit into any other forum.
by ttomaich » Thu Jan 21, 2016 4:41 am
I am evaluating Fund Manager. One of my biggest concerns is security of my information. I understand that the username/password/account numbers for my investment accounts are stored in encrypted fashion in the .mm4 file. I would like to know more about the .mm4 file. Is it easily parsed and decrypted? (From a hacker's perspective, not a naive user perspective.) Is .mm4 a standard file format, or a Fund Manager-specific type? If the latter, it is likely more secure than the former.
On a related note, I see that the .dat files are stored as <asset_id>_<account_id>.dat. This is a bit troubling as now my account numbers are right there in plain text as part of the file name! Is there a way to change that?
Finally, I am considering just storing my .mm4 and .dat files on a removable media device such as a flash USB drive so that this data is not resident on my computer. Does this pose a problem for the software?
-
ttomaich
-
- Posts: 4
- Joined: Thu Jan 21, 2016 4:25 am
by Mark » Thu Jan 21, 2016 9:51 am
Hi ttomaich, Thanks for trying Fund Manager. Yes, the username/password/account numbers are encrypted in the *.mm4 file. The .mm4 and .dat files are binary files. They are specific to Fund Manager, so can only be read in by Fund Manager. However, other than the username/password/account numbers, the rest of the data is not encrypted in any way. Someone that had access to your data files could view them in a hex editor. If security of your data is a very high priority you could consider storing it on a USB that you keep more secure, or they also have software packages out there to create encrypted folders on your hard drive. You could google something like: windows encrypted folder You can adjust the default filename of new investments to not include the account number. See "Edit / Internet Retrieve / Transactions / New Investment Options...". You can also re-save an existing investment to a new filename using "File / Save Investment As...". The filename does not matter to Fund Manager, it can be anything you want. No problem storing your data on a USB drive, but you just need to make sure it is always available when using Fund Manager. Also, if you're not using Portable mode, the drive letter would always need to be the same, so your data location is not changing. Fund Manager tries to re-open your same portfolio file that you had open last time, so if the location changes, it won't be able to find/open it. You could turn off this option under "Options / General Preferences... / Data / Open Last Portfolio at Startup". You could also consider using the "Portable" mode, which keeps the program and the data together on your USB drive. In this case the drive letter that gets mapped when you insert the drive will not matter, as the data location is relative to the Fund Manager program in this case. For help on this feature, see: https://www.fundmanagersoftware.com/help/portable.html
-
Mark
- Site Admin
-
- Posts: 11574
- Joined: Thu Oct 25, 2007 2:24 pm
- Location: Chandler, AZ
-
by ttomaich » Fri Jan 22, 2016 8:07 am
This is very helpful. Thank you!
-
ttomaich
-
- Posts: 4
- Joined: Thu Jan 21, 2016 4:25 am
by jonahb » Sat Jan 07, 2023 1:38 pm
How are usernames, passwords, and account numbers encrypted? Is an encryption key generated per Fund Manager installation and, if so, is it possible to back up the key?
Related: If I were to open my files with a different installation of Fund Manager, which presumably does not have the encryption keys, how would Fund Manager behave? Would it clear usernames, passwords, and account numbers?
-
jonahb
-
- Posts: 3
- Joined: Sat Jan 07, 2023 1:34 pm
by Mark » Sun Jan 08, 2023 10:15 am
Hi jonahb,
The encryption key is not specific to each installation, so no, you can't back it up. If you open your files with a different Fund Manager it will still be able to read your data.
A couple other comments:
The encryption of this data in your *.mm4 file should not be considered secure. It is very basic encryption. Keeping your *.mm4 data file secure, password protecting it, or not storing your passwords in FM are recommended. If you leave your passwords blank in FM, you will be prompted for them each time you retrieve transactions, and the passwords will not be stored in the *.mm4 file. For convenience, you can store your passwords in the *.mm4 file, but then you should realize it is important to keep your *.mm4 file secure and/or password protect it. Anyone that has access to your *.mm4 file would be able to use FM to read it, unless you password protect it (Options / General Preferences... / Data / Password Protect Data).
-
Mark
- Site Admin
-
- Posts: 11574
- Joined: Thu Oct 25, 2007 2:24 pm
- Location: Chandler, AZ
-
by jonahb » Sat Jan 28, 2023 6:59 pm
Mark wrote:Keeping your *.mm4 data file secure, password protecting it, or not storing your passwords in FM are recommended.
Thanks, Mark. I would ask a similar question about password-protecting the .mm4 file. What method of encryption is used?
-
jonahb
-
- Posts: 3
- Joined: Sat Jan 07, 2023 1:34 pm
by Mark » Mon Jan 30, 2023 9:12 am
Hi jonahb,
The *.mm4 file is never fully encrypted. When password protecting your data, the password is stored encrypted in the *.mm4 file, and FM will only open the *.mm4 file if the correct password is entered. Someone could still view your *.mm4 file in a hex editor. The encryption of the usernames/passwords/account numbers and password for the password protection is a basic proprietary encryption, and should not be relied upon to be very secure. It will likely keep out the casual person, but not a sophisticated attacker.
-
Mark
- Site Admin
-
- Posts: 11574
- Joined: Thu Oct 25, 2007 2:24 pm
- Location: Chandler, AZ
-
by jonahb » Thu Feb 02, 2023 3:44 pm
Okay. Thanks for the detailed info, Mark.
-
jonahb
-
- Posts: 3
- Joined: Sat Jan 07, 2023 1:34 pm
Return to General
Who is online
Users browsing this forum: No registered users and 16 guests
|