Are passwords visible in plain text, whether when stored or entered, including service level accounts (i.e., database accounts, etc.)?
Explanation
Password exposure is under examination here, covering whether any passwords, including service-level and database accounts, are ever visible in plain text when stored or entered. This includes service accounts like database credentials.
Why it's important: Password visibility in plain text is a significant security vulnerability. If passwords are visible, they can be easily compromised through unauthorized access, shoulder surfing, or data breaches. HIPAA regulations require appropriate safeguards for protected health information (PHI), and password security is a fundamental control.
The question specifically mentions service accounts because these often have elevated privileges and may be handled differently than regular user accounts. Service account credentials that are visible in plain text (such as in configuration files, scripts, or environment variables) represent a serious security risk.
Best practices for answering:
- Review how passwords are stored in your databases and systems (they should be hashed, not encrypted or plain text)
- Check how password entry is handled in user interfaces (should be masked with asterisks or dots)
- Examine how service account credentials are managed (should use secure credential management)
- Look for any exceptions in your environment where passwords might be visible
A compliant answer would confirm that passwords are never stored or displayed in plain text, explaining the specific controls in place.
Guidance
Refer to HIPAA regulations documentation for supplemental guidance in this section.
Example Responses
Example Response 1
No, passwords are never visible in plain text in our systems For user passwords, we implement the following controls: 1) All passwords are stored using bcrypt hashing with appropriate salt values; 2) Password entry fields always mask characters with dots; 3) Service account passwords are managed through our enterprise password vault (HashiCorp Vault) which provides secure storage and rotation; 4) Database credentials are never hardcoded in application code but are retrieved at runtime from the secure vault; 5) We conduct regular code reviews and security scans to identify any instances of plain text passwords Our last penetration test confirmed these controls are functioning as intended.
Example Response 2
No Our organization has implemented comprehensive controls to prevent password visibility in plain text User passwords are stored using Argon2id hashing algorithm with unique salts All password entry fields implement character masking For service accounts, we use AWS Secrets Manager to securely store and automatically rotate credentials Our CI/CD pipeline includes automated checks that scan for hardcoded credentials or plain text passwords in code or configuration files Database credentials are managed through our IAM system with just-in-time access provisioning rather than persistent credential storage We conduct quarterly audits to verify compliance with these policies.
Example Response 3
Partially While our main application properly hashes user passwords in the database and masks password fields during entry, we have identified two areas requiring remediation: 1) Some of our legacy database maintenance scripts contain hardcoded service account credentials; 2) A third-party integration component stores API credentials in a configuration file as plain text We have developed a remediation plan to address these issues by implementing a secrets management solution (Azure Key Vault) and updating the affected components The remediation is scheduled for completion within the next 60 days In the interim, we have implemented compensating controls including restricted file access permissions and enhanced monitoring of the affected systems.
Context
- Tab
- Case-Specific
- Category
- HIPAA Compliance
Related questions
- Do your workforce members receive regular training related to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules and the HITECH Act?
- Have you identified areas of risk?
- Have the relevant policies/plans been tested?
- Have you entered into a Business Associate Agreements with all subcontractors who may have access to protected health information (PHI)?
- Do you monitor or receive information regarding changes in HIPAA regulations?
- Has your organization designated HIPAA Privacy and Security officers as required by the rules?

