On 3/15/07, Patrick R. Michaud <[EMAIL PROTECTED]> wrote: > On Thu, Mar 15, 2007 at 02:21:32PM -0400, The Editor wrote: > > If I read protect a group, will that be sufficient to > > > > 1) protect its contents from action=diff? > > 2) protect its contents from action=source? > > 3) Text Vars being read from it onto other pages? > > Yes, at least with the core. (I make few guarantees as to what other recipes > might do that could allow read-protected content to leak. :-) > > > Second, what is the best way to encrypt/unencrypt passwords. [...] > > Normally one does not "unencrypt" passwords. Instead, the way > passwords work is that one stores the encrypted form of a password, > and to check if an entered password matches the stored one, you > simply re-encrypt the entered password and make sure that the > resulting encryptions match. > > This is how crypt-based and md5-based password systems work. > (PmWiki uses crypt() for its password encryptions.) > > Any system that uses two-way encryption functions (i.e., allowing > stored passwords to be converted back to unencrypted form) is likely > to be insecure unless there's a really good mechanism available > for keeping the encryption key(s) secret. And you also have to be > prepared to handle the case when the key is lost somehow. > > (I wouldn't consider storing the key in a config file as being "safe".) > > Pm
Ahhh, thanks Pm. Very clever. But then how does one send a password reminder? Or is that not normally done? Cheers, Dan _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
