Timwi <timwi(a)gmx.net> writes:
However, I can see two problems with it. Firstly, if
the hash is
known, then the password might not be too difficult to crack anymore
(because you can just do it locally). Seconlyd, users are probably
generally too stupid to handle it correctly. Some people will put such
a hashed URL into a public RSS reader (e.g. LiveJournal) and then
complain that other people can reed their feed.
Admittedly, the latter problem is probably not quite as bad on Wikipedia.
That's a valid argument. A dictionary attack might be a problem
especially considering the problem that most users still use very weak
passwords. So additionally we could add a date of the last change into
the string where we calculate the hash from. I see that the
user_touched field already exists in the database. Could we use this?
So for example a calculation like
$hash=sha1($user_id.$user_name.$user_password.$user_touched)
Of course then we would need to give a user-friendly error message
once the user can not be authenticated. I'm thinking about a single
valid RSS item saying that the user could not be authenticated and
explaining the fact, that a new URL must be used after every edit.
Or if we don't have too many options in the settings yet, we could
make including the $user_touched variable optional... :-)
Regards
Patrice
--
Jesus answered, "I am the way and the truth and the life. No one comes
to the Father except through me." (The Bible, John 14:6)