Enhanced Password Security
-
The other day, a customer complained that we - sometimes, but not always - wrote the password of their Hospital Information System (HIS) in our log files in clear text. Heh? Just another customer telling us bullshit!? Alahs, right he is. When our application starts, it logs some general information, e.g. hardware, OS, and Environment Variables. And in the section of the Environment Variables, sometimes there was an entry like HIS_PWD=CUSTOMERS_HIS_PASSWORD The customer found then out that it did not happen when he started our application from the start menu or from its desktop item. It only happened when he started it from the HIS (as the doctors normally do: the HIS can provide us with context information like the patient the doctor is working on). Well, a process inherits the environment from the process it was started from, including all its Environment Variables. Do you see what happened here? It's really a great idea to store the clear-text password as an environment variable, it is absolutely safe there.
-
The other day, a customer complained that we - sometimes, but not always - wrote the password of their Hospital Information System (HIS) in our log files in clear text. Heh? Just another customer telling us bullshit!? Alahs, right he is. When our application starts, it logs some general information, e.g. hardware, OS, and Environment Variables. And in the section of the Environment Variables, sometimes there was an entry like HIS_PWD=CUSTOMERS_HIS_PASSWORD The customer found then out that it did not happen when he started our application from the start menu or from its desktop item. It only happened when he started it from the HIS (as the doctors normally do: the HIS can provide us with context information like the patient the doctor is working on). Well, a process inherits the environment from the process it was started from, including all its Environment Variables. Do you see what happened here? It's really a great idea to store the clear-text password as an environment variable, it is absolutely safe there.
What a great idea! I'm on my way to a meeting - I will drop it in as my idea of safe development and then go to sleep. It will take hours to them to figure out how to eat it...
I'm not questioning your powers of observation; I'm merely remarking upon the paradox of asking a masked man who he is. (V)
-
The other day, a customer complained that we - sometimes, but not always - wrote the password of their Hospital Information System (HIS) in our log files in clear text. Heh? Just another customer telling us bullshit!? Alahs, right he is. When our application starts, it logs some general information, e.g. hardware, OS, and Environment Variables. And in the section of the Environment Variables, sometimes there was an entry like HIS_PWD=CUSTOMERS_HIS_PASSWORD The customer found then out that it did not happen when he started our application from the start menu or from its desktop item. It only happened when he started it from the HIS (as the doctors normally do: the HIS can provide us with context information like the patient the doctor is working on). Well, a process inherits the environment from the process it was started from, including all its Environment Variables. Do you see what happened here? It's really a great idea to store the clear-text password as an environment variable, it is absolutely safe there.
-
The other day, a customer complained that we - sometimes, but not always - wrote the password of their Hospital Information System (HIS) in our log files in clear text. Heh? Just another customer telling us bullshit!? Alahs, right he is. When our application starts, it logs some general information, e.g. hardware, OS, and Environment Variables. And in the section of the Environment Variables, sometimes there was an entry like HIS_PWD=CUSTOMERS_HIS_PASSWORD The customer found then out that it did not happen when he started our application from the start menu or from its desktop item. It only happened when he started it from the HIS (as the doctors normally do: the HIS can provide us with context information like the patient the doctor is working on). Well, a process inherits the environment from the process it was started from, including all its Environment Variables. Do you see what happened here? It's really a great idea to store the clear-text password as an environment variable, it is absolutely safe there.
Ugh. I don't know what software this is, but as far as I can tell, the way they design hospital software is to take the biggest, worst, most horrifying Microsoft Access application you've ever encountered, the sort that happens when someone who wasn't a programmer discovered Access and built a giant, awful system on it and kept at it for a decade, and then model your new medical records application on that.
-
Ugh. I don't know what software this is, but as far as I can tell, the way they design hospital software is to take the biggest, worst, most horrifying Microsoft Access application you've ever encountered, the sort that happens when someone who wasn't a programmer discovered Access and built a giant, awful system on it and kept at it for a decade, and then model your new medical records application on that.
Trajan McGill wrote:
Microsoft Access
Worse, some use Cache. X|
You'll never get very far if all you do is follow instructions.
-
The other day, a customer complained that we - sometimes, but not always - wrote the password of their Hospital Information System (HIS) in our log files in clear text. Heh? Just another customer telling us bullshit!? Alahs, right he is. When our application starts, it logs some general information, e.g. hardware, OS, and Environment Variables. And in the section of the Environment Variables, sometimes there was an entry like HIS_PWD=CUSTOMERS_HIS_PASSWORD The customer found then out that it did not happen when he started our application from the start menu or from its desktop item. It only happened when he started it from the HIS (as the doctors normally do: the HIS can provide us with context information like the patient the doctor is working on). Well, a process inherits the environment from the process it was started from, including all its Environment Variables. Do you see what happened here? It's really a great idea to store the clear-text password as an environment variable, it is absolutely safe there.
Hee hee!! I just stored a plain text password in an environment variable this morning! :laugh: Only temporarily and I have since rebooted. The password in question is generally protected inside an SSIS parameter file, but I wanted it closer to hand. P.S. I had to keep it close to hand again today, but instead of doing
SET PWD=pa$$w0rdI didpa$$w0rd=PWDfor greater security! :laugh:You'll never get very far if all you do is follow instructions.
