On Tuesday 25 May 2010 4:52:43 am Wordit Ltd wrote: > On Mon, May 24, 2010 at 11:17 PM, V.Krishn <[email protected]> wrote: > > I am guessing $secret is set by admin in some php file. > > config.php would be a good place. > > > Then secret would become permanent till those users exists, > > and admin would not be able to change the secret when compromised. > > You can change a line in config.php whenever you like. > > > But then this would not be an issue as $password /s cannot easily be > > known. > > If config.php is compromised then it's probably game over anyway. > That's not really an issue in this context, just standard security for > pmwiki and your web server. >
Somehow I think sha1($email.$username.$password) should be sufficient. Secondly, As no user info(including email) is stored on server, what would be the method to resend new password when lost? > > Marcus > > _______________________________________________ > pmwiki-users mailing list > [email protected] > http://www.pmichaud.com/mailman/listinfo/pmwiki-users -- Regards, V.Krishn _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
