Clone this wiki locally
How to use encrypted passwords in your config file.
config.php, the variable
$yourls_user_passwords shall contain an array of usernames and passwords.
To improve security and user experience, YOURLS 1.7+ automatically encrypts these passwords within your config file.
Editing login & passwords in
Edit and save your config file with an array of simple
key => value associations like the followings:
<?php $yourls_user_passwords = array( 'joe' => 'MyPassword', );
Two or more users and login/passwords pairs:
<?php $yourls_user_passwords = array( 'joe' => 'MyPassword', 'Randall' => 'correct horse battery staple', 'leetboy' => 'h3ll0w0rld!', 'api' => 'passwordfortheapi', );
Next time you'll run YOURLS, this array will be rewritten, replacing plain text passwords with encrypted and undecipherable hashes. If you check now your
config.php, you should see something like:
<?php $yourls_user_passwords = array( 'joe' => 'phpass:!2a!08!gRCCvpvK22BgiNzN9q9fXOnjCXqQoZP/P0wydAj7bB2', 'api' => 'phpass:!2a!08!m4IbkpuC0jjDIab7yRvjXeljjvcOJTASFL5nagml1Dm', // etc.. );
User will still log in using
joe as a username and
MyPassword as a password, but this password is no longer written down anywhere in the config file.
Nerd note: we're using the rock solid phpass library to encrypt passwords. This library will use the most secure encryption protocol installed on your server, and will hash your passwords so tight even the NSA will never find out.
Protecting your config file
A good practice, especially in a shared hosting environment, is to change file permissions to disallow write access to your files. The best thing to do is to edit your
config.php with a new password, run YOURLS to get it encrypted, and then remove write permissions.
Depending on your host, you should change
config.php permissions to 400, 440 or 600. This can be done via the command line (
chmod 0440 config.php) or using your FTP client. For more help on this matter, please contact your host support.
I have an error message: "Could not auto-encrypt passwords"
If YOURLS cannot edit and save your
config.php file, you will see the following notice:
Could not auto-encrypt passwords. Error was: "cannot write file".
Your config file is probably locked for reading and or writing (eg chmoded), which can be a good security practice. Temporarily lift that restriction (
chmod 0666 config.php), load a YOURLS page again, then
chmod it back.
If for some reason you cannot get it working, see manual MD5 encryption below
Why hash passwords ?
Storing your password as a crypted hash is more secure: if someone has access to your
config.php, they won't be able to determine what your password is and won't be able to log in your setup. The drawback is that if you forget your own password, you cannot retrieve it: see below.
I don't remember my password / I want to change it
Simply edit your
config.php and write a new password in clear text. Next time you'll load YOURLS, it will be encrypted again.
Manual MD5 encryption
If you prefer, you can manually encrypt passswords using a MD5 salted hash of the following structure:
md5:< salt of 5 digits >:< md5 of salt + password >
A PHP example to generate an encrypted password would be:
<?php $password = 'MyPassword'; $salt = rand( 10000, 99999 ); // example: 71688 $encrypted = 'md5:' . $salt . ':' . md5( $salt . $password ) // example: md5:71688:0ce43474167f743b7b92d046ae970801
You can simply use the YOURLS salted hash generator.
config.php so that the
key => value associations with encrypted passwords looks like the following:
<?php $yourls_user_passwords = array( 'joe' => 'md5:71688:0ce43474167f743b7b92d046ae970801', );
Hashes using MD5 are slightly less secure than using YOURLS encryption, but still way better than plain text passwords.
But I don't want to encrypt my password !
If for some reason you'd rather keep your password unencrypted and in plain text in your config, simply add the following at the end of your
define( 'YOURLS_NO_HASH_PASSWORD', true );