[pmwiki-users] EnableDiag
Patrick R. Michaud
pmichaud at pobox.com
Fri Mar 2 08:27:22 CST 2007
On Fri, Mar 02, 2007 at 11:28:10AM +0000, Ian Barton wrote:
>
> > Note that passwords held in $DefaultPasswords and $AuthUser
> > are encrypted, so even if someone obtains the encrypted values
> > they would still need to break the encryption to learn the
> > actual passwords.
> >
> I am not sure exactly how the PHP encryption function works, but could
> getting the encrypted passwords make it possible for someone to run a
> dictionary attack.
>
> In other words if you don't use strong passwords someone just runs their
> dictionary/generation algorithm through the crypt function and compares
> the output to the encrypted value?
Yes, weak passwords would be subject to a dictionary attack.
Pm
More information about the pmwiki-users
mailing list