RE: Question from a User

Tue, 05 Nov 2002 07:20:26 -0800

Password files should always be encrypted, no if's, and's or but's.  Ultimately it depends on the application and how the vendor has coded it.
 
Whether or not you can keep the passwords secure in a SQL DB depends on whether or not the application supports this type of storage.  If you use W2k or another OS (Unix), you may be able to encrypt the files and directories, so that unauthorized users would not be able to view any files, you could also set directory and file permissions to restrict access to the file as well.
 
If the application can read from a db or an encrypted file or does not balk at directory and files permissions, you may be able to do this, otherwise you should contact the vendor and find out what can be done to protect that file.  Explain to them that this is unacceptable and that it is a serious security breach.
 

Val Moutsopoulos
Investors Bank & Trust
IT Audit Manager
( Voice: (617) 937 - 3268
( Cell:     (617) 901 - 3513
* e-mail: [EMAIL PROTECTED]

 
-----Original Message-----
From: Kaplan, Jim [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, November 05, 2002 10:01 AM
To: '[EMAIL PROTECTED]'
Subject: Question from a User

An AuditNet user submitted the following question
 
We have an accounting application that shows all the user passwords in clear text when the delegated data owner (finance head- highest rights)invokes the option. what is the solution/mgmt. recommendation to mask the passwords (SQL database)?
 
Any IT auditors with an answer?

 


**************************************************************************
This message and any attached documents contain information
which may be confidential, subject to privilege or exempt from
disclosure under applicable law. These materials are solely for
the use of the intended recipient. If you are not the intended
recipient of this transmission, you are hereby notified that any
distribution, disclosure, printing, copying, storage, modification
or the taking of any action in reliance upon this transmission is
strictly prohibited. Delivery of this message to any person other
than the intended recipient shall not compromise or waive
such confidentiality, privilege or exemption from disclosure as
to this communication.

If you have received this communication in error, please notify
the sender immediately and delete this message from your system.
*****************************************************************************

Reply via email to