Revision [1389]
This is an old revision of UserSettingsAndPasswords made by NilsLindenberg on 2004-09-25 07:06:31.
User Settings and Passwords
Here I'll share my efforts to make user registration, login/logout and password-handling a little more user-friendly as well as more secure. And apart from making sure the associated forms are XHTML-compliant, I'm also making them accessible according to the WAI guidelines.
Password length
Currently the system only enforces a minimum password length of 5 characters. That's generally not considered a very secure password, so my first action was to make this minimum length Admin-configurable.- edit wikka.config.php and add the following line:
"user_min_password" => "5", // default minimum password length
- if you want to have this generated on installation, add the same line to the $wakkaDefaultConfig array in wikka.php.
- edit actions/usersettings.php and replace every occurrence of
< 5with< $this->config["user_min_password"]
Now minimum password length is Admin-configurable and will be enforced in UserSettings for registration and login. (Make sure any existing passwords are of sufficient length first!) A good minimum is 8 characters but this patch maintains the current default of 5 in Wikka.
Um, I'm not one to speak from experience, but isn't the whole concept of a wiki supposed to render security irrelevent? Additionally, the wiki format (instead of a forum), is that editing a page is for non-registered users should be as easy and quick as possible. If anything, the default should be lower than 5 (like 2 characters). I appreciate the ability to configure the min_length, but does this have any ramfications on /setup files? Like in the case of upgrading? -- Sam
No, I don't think the concept of a Wiki is to make security irrelevant - just to make a community effort to maintain pages/information on the Web (or an intranet) easy. But many Wikis (including this one!) have been configured to require a user to have an account and be logged in to be able to edit any page.
The idea behind more secure passwords is not to make the Wiki more secure, but to make those accounts more secure - so someone else may not "take over" an account and then impersonate someone. And let's not forget that most Wikis also have a Wiki Master and one or more users with Admin rights - should anyone be able to easily take over those accounts? I think not (at that point security of user-supplied email addresses also becomes relevant).
Of course, if you think 2 characters is sufficient for your Wiki, my patch (applied once) allows you to configure just that instead of replacing a constant in 10 locations or so (I didn't count). I just go in the other direction. ;-)
Upgrading is a good point though: I don't know how upgrading is implemented (yet) - I've only looked at a current installation and new setups so far. I'll look into that; I've only just started with Wikka... Thanks!
-- JavaWoman
