We went live with BSI10 in December due to the requirement that BSI9 was no longer supported - like most everyone else. We have dealt with the quirks/issues that have risen, and so far are not too much worse for the wear. Today when I was looking through the files I noticed a option file that is stored for each environment you have configured and noticed that within the file BSI stores the DSN that is setup for the environment along with plain text user ID and password to the database. Is it just me or is this not only a lack of secure practices but just a very outdated approach to managing sensitive account information? I'm a little concerned that anyone who has access to the server could acquire the credentials to our database(s) just by perusing the minimal files that are on the system.
Thoughts? -Chris