Debugging password exposure

For complex topics that regular users would not be interested in. For power users and database administrators.
Post Reply
asceticwonder
Posts: 19
Joined: Thu Oct 15, 2015 8:44 am

Debugging password exposure

Post by asceticwonder » Wed Jul 11, 2018 2:32 pm

Hello everyone,

I had my OD admin account and all the MySQL root accounts on the same password.

The other day a 3rd party service (a clearinghouse) was debugging one of their client utilities remotely on our computers and then I noticed days later that the dev had left some debug notes on a sticky note on the desktop which included the MySQL root and OD admin account password.

I thought I would start here before I asked the clearinghouse support, but where was it possible that my password was served up in cleartext? Does OD save passwords in the db in cleartext? Is the MySQL root password sent from the OD client to the database in cleartext? Are devs with knowledge of OD able to get the root password via the hash stored at FreeDentalConfig.xml?

Thanks!

nathansparks
Posts: 172
Joined: Mon Aug 04, 2008 12:39 pm

Re: Debugging password exposure

Post by nathansparks » Wed Jul 11, 2018 3:47 pm

The MySQL password is not stored in the database. The OD admin password is not stored in the database. But, do not use one the same exact password for both, or in general for any two applications where security is important. There is a possibility that your clearinghouse password may be the same and maybe that is what you saw, as the clearinghouse rep would not care about the others probably (maybe let me know what clearinghouse, as some use plugins and could grab your mysql password easily via their code) but maybe he needed your mysql password for some reason (some clearinghouses use plugins that would use this)
In older versions of Open Dental, the password was stored in plain text. This is not a security issue in most offices (and not a HIPAA security violation because your network itself should be protected and your server encrypted), but there are two things we have done to help here. First of all if you are in an insecure network, or using Open Dental over the internet (like in a coffee shop or you are doing dentistry in a mobile environment) you should use HTTPS over Open Dental Middle Tier http://www.opendental.com/manual/middletier.html not a a direct connection and then have limited access to your server. Second, we now obfuscate (automatically) the MySQL password stored on your local client machine to prevent this type of thing, so I must ask, what version of Open Dental do you have? It is a long discussion about why we call it obfuscation, but basically it is possible to get the actual password from the obfuscated password but most people will not know how, and that is what we are protecting against, just making it too easy to bypass security.
I am looking into this a little more and waiting for your version and a clarification of what clearinghouse you use.

asceticwonder
Posts: 19
Joined: Thu Oct 15, 2015 8:44 am

Re: Debugging password exposure

Post by asceticwonder » Wed Jul 11, 2018 6:32 pm

Hi Nathan, thanks for the quick response.

I had forgotten that the clearinghouse client utility required the mysql password. I'm using EDS. OD version is very recent, installed in the last 3 months.

Are there threads related to fortifying the default OD install?


Post Reply