[pmwiki-users] EnableDiag
Ian Barton
lists at manor-farm.org
Fri Mar 2 05:28:10 CST 2007
> Note that passwords held in $DefaultPasswords and $AuthUser
> are encrypted, so even if someone obtains the encrypted values
> they would still need to break the encryption to learn the
> actual passwords.
>
I am not sure exactly how the PHP encryption function works, but could
getting the encrypted passwords make it possible for someone to run a
dictionary attack.
In other words if you don't use strong passwords someone just runs their
dictionary/generation algorithm through the crypt function and compares
the output to the encrypted value?
Ian.
More information about the pmwiki-users
mailing list