Jeremy Smith's blog

Entry Is Labelled

Password Protecting Entries and Blogs

One of the most often asked for features for the Blog@Case system is to provide access control to individual blog entries or, even, an entire weblog i.e. put passwords on them. Right now, there is no way to do this. And, even in providing this functionality, it begs the question "is this something we even want" or "are we using the wrong tool for the job here?"

There are three ways to "protect" a blog or an entry. The first and most simple way is the methodology used in Password Protect Entries and other similar plugins. That is, for an entry you want to protect, you create a password for it. Anyone seeking to view the entry is prompted to input the password to view it. I would assume, then, you would email the password out to those individuals you would want to be able to read the entry.

This begs the question, why not just send the contents of the entry in the email?

The second way to provide access control is to integrate weblog entries with LDAP authentication and authorization. In this scenario, users could, when creating entries, provide a list of those Case users whom he or she would like to be able to access the entry.

This scenario fails brilliantly if you want someone lacking a Case account to be able to access your entry. Without Federated Identity implementations hitting critical mass, there is no good solution to this problem other than just combining it with another system.

The final way (that I can think of) is to be able to create local "blog" accounts. So, if you have, you could create local accounts. Bill would get the account bill with a password of "mario". Mary would get the account mary with the password "zelda". Jen would get the account jen with the password "samus".

First of all, the tools to support this final solution would take considerable coding. Not to mention that, now, every blog owner is running, troubleshooting, and operating his or her own little account management system. Creating new accounts. Resetting passwords. Having accounts get hacked. Running into confusion from other users trying to access the protected contents. Headaches. Headaches. Headaches.

And, all of this, all of it is ignoring the problems introduced into the blog's syndicated feeds. I guess one would just omit them from the feeds. But, a weblog without syndicated feeds... that's like a ballpark stadium hot dog without spicy brown mustard (or another equally absurd metaphor which describes an item lacking an essential accessory which effectively removes the greatest piece of its functionality).

It all feels to me that a tool is being used incorrectly like sending sensitive and confidential data over email. You can do it, but it isn't the optimum solution and can lead to a false sense of usefulness.

I am going to have to mull it over some more. There may be an elegant solution to this which is in my blind spot. Furthermore, I would rather implement something and have my reservations proven wrong by widespread effective use of it. But, my initial take is that it is a case of misconstruing a tool to solve a problem that would be better suited with another tool.


  1. gravatar

    A lot of people at Warwick have wanted to do the same thing. They want their friends back at home or their parents to be able to view their entries, but only them, not the world at large. We've basically said no for much the same reasons as you have.

    However, we have gone for the LDAP integration. The most common use we have found is simply to set an entry to be viewable to logged in people only, or only commentable by logged in people, or only staff. People can set up small groups with usercodes, but it is certainly usually larger groups people choose. As you said, if you just want 2 people to read it, then email it :)

  2. gravatar

    To me it completely destroys the purpose of blog@case. No passwords please!

  3. gravatar

    I'm with you 100% - no passwords. No way. This is not a private and personal website. This is a method of communicating and sharing ideas and experiences. I learn best by example. The first time I read about Wiki I thought no way - your site will be covered with slanderous statements and misdirection. Some of the most productive installation guides I've seen are wiki's. Once the novelty of "hacking" up someone else's work wears off, I realised that most people are actually happy to share their experiences and mis-steps. Oh, and I don't travel in Academic circles, so where else would I have gotten to know Jeremy? Or that I like the way he thinks.

  4. gravatar

    I totally disagree, and I think passwords would be a good thing. You are also missing a fourth possible implementation: Have one password that protects the entire blog. Then the owner could even restict people by saying "the password is the name of my former highschool". This, along with the owner's ability to change the password semi-regularly would effectively allow someone to limit their blog to family, friends, coworkers, or their book club. No, it would not offer bulletproof security, but it would screen out a lot of people that you may not want to read you blog, and it would allow bloggers to more comfortably post intimate information that they are comfortable talking about but not comfortable sharing with the entire world to be preserved forever on the internet. All this with no complicated accounts system, no email for each blog entry, and a fairly simple implementation too!