[pmwiki-users] EnableDiag

Patrick R. Michaud pmichaud at pobox.com
Fri Mar 2 08:27:22 CST 2007


On Fri, Mar 02, 2007 at 11:28:10AM +0000, Ian Barton wrote:
> 
> > Note that passwords held in $DefaultPasswords and $AuthUser
> > are encrypted, so even if someone obtains the encrypted values
> > they would still need to break the encryption to learn the
> > actual passwords.
> > 
> I am not sure exactly how the PHP encryption function works, but could 
> getting the encrypted passwords make it possible for someone to run a 
> dictionary attack.
> 
> In other words if you don't use strong passwords someone just runs their 
> dictionary/generation algorithm through the crypt function and compares 
> the output to the encrypted value?

Yes, weak passwords would be subject to a dictionary attack.

Pm



More information about the pmwiki-users mailing list