[Pmwiki-users] Easily Hackable?

Patrick R. Michaud pmichaud
Sat Apr 3 08:15:41 CST 2004 

On Wed, Mar 31, 2004 at 07:47:14PM -0800, Greg Morgan wrote:
>    So if your client is
>    looking  to  create  a publicly viewable page that can only be edit by
>    their staff, then a wiki might not be the way to go.  Unless you use a
>    Wiki  that  has  user  based  authentication  that's  going  to  be an
>    unavoidable problem.
>    PmWiki  has per-group and per-page passwords that can be set, but that
>    has three big draw backs.
>     1. If the admin decides to change the password to a group or page, he
>        has to distribute that password to everyone who needs it.

I respectfully disagree that this is a drawback--in many environments
it's actually a feature.  In several contexts where I work, with anywhere
from 5 to 30 people sharing write access to the wiki, having a shared
password is a *big* advantage over the maintenance of having each author
maintain his/her own individual password.  Distribution of the password
is no problem--we simply announce at a group meeting "the password is
being changed to XXX" and things go from there.  Plus people appreciate
that they don't have to remember yet another username/password sequence,
or that they can simply ask a trusted colleague "what's the password again?"

I would agree that for large numbers of users, per-user authentication
may be necessary.  But for maintenance of a public web site where there
are likely to be only a very few authors, shared passwords are not really
a problem.

Also, I think it's difficult to claim that shared passwords are a 
disadvantage of PmWiki in the context of web maintenance--since the 
common non-wiki methods for maintaining a web site *also* require the 
use of a shared password.  For example, if my organization is using plain 
HTML for its web pages and I want authoring to be distributed among 
others in the department, then I generally have to share the username+
password of the web account with everyone involved so they can modify
or upload HTML files on the server.  This is much worse than a wiki,
since someone can accidentally or maliciously destroy all of web content
without hope of recovery.

Finally, note that PmWiki doesn't *require* the use of shared passwords--
a wiki admin can easily set up an array of passwords--say, one per author--
which makes it possible to revoke passwords without having to tell the
rest of the group about a new password.

>     3. There's  no relation between the password used and the Author of a
>        given  page.  (i.e.  It would be pretty easy to make a change to a
>        page and for the Author put in your name of Pm's.  Unless you were
>        familiar  with what IP address Pm posts from, you wouldn't be able
>        to tell)

This is also not normally a problem in the context of web site maintenance.
Generally there are going to be a small number of authors, and for an
official/commercial site those people are (almost by definition) trusted.

Pm

More information about the pmwiki-users mailing list