Security Setting regarding Changing Passwords

[cneelley]

I am using version 7.1.9. It appears that it is possible for any user to change his or her password whenever they want. If this is correct, then I would appreciate a way to turn it off. If I am logged onto a computer as administrator, or just as a doctor, then if I walk away from that computer without logging off, then anybody can come behind me and change my password, locking me out.

I feel the need to control and determine passwords, and I definitely don't want anybody changing mine for me. If they altered my administrator password they could do anything. Defeats the purpose of security altogether.


Dr. Neelley

[jordansparks]

You would certainly know that your password had been altered the next time you went to use it because it wouldn't work. If you walked away from your computer with admin logged in, they would NOT change the password because that would give away the fact that they had temporary access to your account. What they would do instead would be to make changes to whatever they wanted. Changing the password wouldn't help them in that goal at all. Allowing users to change their own passwords does not compromise security in the slightest.

[enamelrod]

I dont agree with Jordan on that at all. it should be selectable if you can change the password or not. or at least have to confirm the old password first before allowing an employee to change a password. or email sent to verify a password has been changed.

[jordansparks]

I feel that the password has been confirmed because the person used it to log on in the first place.

The only security risk here is walking away from your computer without logging off. But that risk has not changed at all by the addition of this new feature. I still completely fail to see how it would benefit a malicious user to change someone's password. All it would do would be to alert the user that there was a security problem. That isn't what malicious users do. Go ahead. Explain to me how it helps them. They already have access. Changing the password will not magically give them more access than they had before.

[enamelrod]

your so right. But when my staff member gets on my computer and changes my password and logs on to another computer both are now logged on under me. SO now this person now has access to this other computer under my rights and I have no idea its even logged on under me. We have 3 headless computers that the staff remote access into to check the schedule from home. All I need is one person to get into my account on a thursday night change my password and go home remote in and go crazy on my account the whole weekend. then log out of open dental and log in as sunday morning as themselves and I wouldn't have a clue. This is why i had asked you about using the windows login to access OD. windows login keeps an audit also. And you probably thinking that they use their windows login to login remotely, but they dont I have these 3 computers set up to auto login under a set account that doesnt allow staff to do certain things.

[cneelley]

I suppose that you Jordan have a compelling reason to change the behavior of security and passwords and that you have thought about it extensively, or you would not have made the change. I don't know what those reasons are. It is just nerve racking to the average Joe when somebody can come right behind you and change your password, and you may not know that they did it, or what the new password may be. Dentists in general are control freaks, but not me

I guess that I will have to use it for a while to see if any real issues pop up. I thought that when you added security way back when that that was a major improvement and somehow it feels like the security is now compromised. Maybe I am wrong??

Dr. Neelley

[jordansparks]

Ok, you all win. We will make it require re-entry of the old password as part of changing the password. I'll have put it down as a bug so it doesn't get forgotten.

[Rickliftig]

And then we need a the hack for when we forget our password!