[pmwiki-users] EnableDiag

[Ian Barton]

> Note that passwords held in $DefaultPasswords and $AuthUser
> are encrypted, so even if someone obtains the encrypted values
> they would still need to break the encryption to learn the
> actual passwords.
> 
I am not sure exactly how the PHP encryption function works, but could 
getting the encrypted passwords make it possible for someone to run a 
dictionary attack.

In other words if you don't use strong passwords someone just runs their 
dictionary/generation algorithm through the crypt function and compares 
the output to the encrypted value?

Ian.