[Pmwiki-users] Easily Hackable?
Patrick R. Michaud
Sat Apr 3 08:15:41 CST 2004
On Wed, Mar 31, 2004 at 07:47:14PM -0800, Greg Morgan wrote:
> So if your client is
> looking to create a publicly viewable page that can only be edit by
> their staff, then a wiki might not be the way to go. Unless you use a
> Wiki that has user based authentication that's going to be an
> unavoidable problem.
> PmWiki has per-group and per-page passwords that can be set, but that
> has three big draw backs.
> 1. If the admin decides to change the password to a group or page, he
> has to distribute that password to everyone who needs it.
I respectfully disagree that this is a drawback--in many environments
it's actually a feature. In several contexts where I work, with anywhere
from 5 to 30 people sharing write access to the wiki, having a shared
password is a *big* advantage over the maintenance of having each author
maintain his/her own individual password. Distribution of the password
is no problem--we simply announce at a group meeting "the password is
being changed to XXX" and things go from there. Plus people appreciate
that they don't have to remember yet another username/password sequence,
or that they can simply ask a trusted colleague "what's the password again?"
I would agree that for large numbers of users, per-user authentication
may be necessary. But for maintenance of a public web site where there
are likely to be only a very few authors, shared passwords are not really
Also, I think it's difficult to claim that shared passwords are a
disadvantage of PmWiki in the context of web maintenance--since the
common non-wiki methods for maintaining a web site *also* require the
use of a shared password. For example, if my organization is using plain
HTML for its web pages and I want authoring to be distributed among
others in the department, then I generally have to share the username+
password of the web account with everyone involved so they can modify
or upload HTML files on the server. This is much worse than a wiki,
since someone can accidentally or maliciously destroy all of web content
without hope of recovery.
Finally, note that PmWiki doesn't *require* the use of shared passwords--
a wiki admin can easily set up an array of passwords--say, one per author--
which makes it possible to revoke passwords without having to tell the
rest of the group about a new password.
> 3. There's no relation between the password used and the Author of a
> given page. (i.e. It would be pretty easy to make a change to a
> page and for the Author put in your name of Pm's. Unless you were
> familiar with what IP address Pm posts from, you wouldn't be able
> to tell)
This is also not normally a problem in the context of web site maintenance.
Generally there are going to be a small number of authors, and for an
official/commercial site those people are (almost by definition) trusted.
More information about the pmwiki-users