About once a month we get a Support request pleading for help in accessing a password-protected database. The user has forgotten the password and needs to get at the database for an important purpose.
If the simple password scheme built into DEVONthink was used, we can suggest that the user upload the database to Eric for unlocking it. There’s a FAQ on the Web site with instructions on how to upload the database. It will be returned unlocked to the user. We have no interest in looking inside your database, and the DEVONtechnologies business plan doesn’t include trying to steal your bank account password.
For more secure protection I recommend an encrypted disk image, probably using 256-bit encryption. That’s pretty darn secure.
Apple’s File vault will secure an entire user account, and of course whole disk encryption locks the entire disk to unauthorized access. Personally, I’ve never used those solutions, as if anything goes wrong the secured data — everything — is likely gone forever.
Putting on my Support hat, let me beg users — especially those using really secure protection — not to forget your password(s). If you do, there’s nothing we can do to help, except to offer our sympathy.
Don’t assume that using secure encryption is all it takes to keep your data secure. Most unauthorized access to secured information isn’t done by people who use sophisticated technological means to crack the password. Almost always, access is gained by human engineering approaches. A clever spy may be able to trick the user into volunteering the password. Perhaps he will find the password on a sticky note on the computer. More likely, your spy may simply try “obvious” passwords — your dog’s name, your wife’s birthday, etc. So if you forget your password, try to find a good espionage agent and let him ask you a few questions. He may be able to figure out the password you’ve forgotten. Most people use pretty predictable passwords.
The tip posted earlier in this thread, not to turn on Spotlight indexing for secured information, is a good one. Here’s another: be careful about “broadcasting” a sensitive database when DTPO2’s Web sharing Server mode is active. Use File > Database Properties to uncheck that option, which can be toggled on or off for individual databases.
Also note that although the DTPO Server preferences allow one to set a username and password, which provides at least some access control, and individual databases can have passwords, that’s not really high-level security, although it’s good enough to keep casual bystanders out.