From Stephen Giunta
NEVER give this formula to ANY customer. This information is internal for all of support and engineering ONLY.
The reason this password rolls with each month is because having a "backdoor" password is a HUGE security liability. We should hardly need to release this, or any other, DT password to customers, except under extenuating circumstances, and even then, it is meant for them to fix the existing admin credentials and forget the backdoor login. Also never use the term "backdoor" with a customer.
Going forward if a customer needs this, or any other DTPro password, two things need to happen before it is released:
- An acknowledgement of release from the customer. (See my example below)
- Information explaining that this password is meant for temporary use ONLY, and instruction on how to "reset" existing administrative accounts.
The "acknowledgement of release" is to help shield us from any security or data breach liability (to their system) that could occur after the customer receives a DTPro password. The following is an example of what this should look like when corresponding with the customer:
"Before Mesa can release the DTPro administrative credentials we will need you to confirm (a reply to this email will suffice) that you are the DataTrace system owner and/or administrator, and by acknowledging this statement you take full responsibility for any and all resulting consequences which may occur, including, but not limited to: manipulation, corruption, or deletion of the database, data, and/or system/software settings of the current DataTrace system. Once you have acknowledged that the previous statement is correct, we will release the admin credentials for your DataTrace system."
The information explaining that the "backdoor" password is temporary should be clear enough for them to figure out how to reset or create an administrative account through the DTPro software, such that they can use this account to manage their system as opposed to using the "backdoor" credentials.
I am implementing a new DataTrace policy for security purposes:
- Anyone who communicates the backdoor password to a customer, after acknowledgement of release from the customer, may not communicate this information more than one time within a two consecutive month timeframe.
Basically, if a customer needs this information during the month of September, then asks for it again in November, you shall not release it; instead, you CAN login using the backdoor credentials on the customer's behalf and help them change/setup an admin account, but you cannot communicate what the password is.
We are playing a very dangerous game when we openly release and send system passwords (especially in plain text), and with the instabilities that are already known with the DTPro system it is not appropriate to introduce any more security vulnerabilities or variation.
Please let me know if you have any questions or comments and I will be happy to address them.
File this away guys, it is actually trivial:
DT Pro backdoor password is: "qweDFGrty" + (Now.Month * 2 + 31)
Dan Sullivan
Comments