In any
system there is the power user. Some systems allow for hidden/encrypted
passwords some do not. As a SQL database there should be the ability to
encrypt yours - but that is a guess based on my experience working with these
types of database apps.
My
question to you would be: at what level are you comfortable with having
this trusted person. In the event you take the ability to see the pw's
away what has it protected? Is there logging on the system that will tell
you who has done what and when they did it? If not, that user could simply
build a bogus ID and do what he wishes anyway.
Short
and sweet: Does the effort to protect (cost) provide you a benefit that is
greater than the risk you have presently?
Paul Hugenberg III, C.I.S.A.
Information Technology Audit Officer
Sky Financial Group
60 East Main Street
Salineville, Ohio 43945
(330) 679-2328
ext. 2190
mailto:[EMAIL PROTECTED]
-----Original Message-----
From: Kupersmith, Steven [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, November 05, 2002 10:07 AM
To: 'Kaplan, Jim'; '[EMAIL PROTECTED]'
Subject: RE: Question from a UserThere is only one way, passwords should be encrypted and should not be displayed in clear text by anyone.-----Original Message-----
From: Kaplan, Jim [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, November 05, 2002 10:01 AM
To: '[EMAIL PROTECTED]'
Subject: Question from a UserAn AuditNet user submitted the following questionWe have an accounting application that shows all the user passwords in clear text when the delegated data owner (finance head- highest rights)invokes the option. what is the solution/mgmt. recommendation to mask the passwords (SQL database)?Any IT auditors with an answer?
