[pmwiki-users] action diff, source and browse

The Editor editor at fast.st
Thu Mar 15 16:56:47 CDT 2007


On 3/15/07, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> On Thu, Mar 15, 2007 at 02:21:32PM -0400, The Editor wrote:
> > If I read protect a group, will that be sufficient to
> >
> > 1) protect its contents from action=diff?
> > 2) protect its contents from action=source?
> > 3) Text Vars being read from it onto other pages?
>
> Yes, at least with the core.  (I make few guarantees as to what other recipes
> might do that could allow read-protected content to leak. :-)
>
> > Second, what is the best way to encrypt/unencrypt passwords. [...]
>
> Normally one does not "unencrypt" passwords.  Instead, the way
> passwords work is that one stores the encrypted form of a password,
> and to check if an entered password matches the stored one, you
> simply re-encrypt the entered password and make sure that the
> resulting encryptions match.
>
> This is how crypt-based and md5-based password systems work.
> (PmWiki uses crypt() for its password encryptions.)
>
> Any system that uses two-way encryption functions (i.e., allowing
> stored passwords to be converted back to unencrypted form) is likely
> to be insecure unless there's a really good mechanism available
> for keeping the encryption key(s) secret.  And you also have to be
> prepared to handle the case when the key is lost somehow.
>
> (I wouldn't consider storing the key in a config file as being "safe".)
>
> Pm


Ahhh, thanks Pm.  Very clever.  But then how does one send a password
reminder? Or is that not normally done?

Cheers,
Dan



More information about the pmwiki-users mailing list