My favorites | Sign in
Project Home Downloads Wiki Issues Source
Search
for
UsernamePasswords  
How to use encrypted passwords in your config file
Featured
Updated Sep 13, 2011 by ozh...@gmail.com

In config.php, the variable $yourls_user_passwords shall contain an array of usernames and passwords. In YOURLS 1.5.1+ these passwords can be stored as plain text, or encrypted hashes.

Using plain text passwords

Save your config file with an array of simple key=>value associations like the followings:

One login/password: 

$yourls_user_passwords = array(
	'joe' => 'MyPassword',
);

You can of course define two or more login/passwords pairs: 

$yourls_user_passwords = array(
	'joe' => 'MyPassword',
	'Randall' => 'correct horse battery staple',
	'leetboy' => 'h3ll0w0rld!',
	'api' => 'passwordfortheapi'
);

Using encrypted salted passwords

Instead of storing your password as clear text, you can encrypt it using a salted hash of the following structure:

md5:< salt of 5 digits >:< md5 of salt + password >

A PHP example to generate an encrypted password would be: 

$password = 'MyPassword';
$salt = rand( 10000, 99999 ); // example: 71688
$encrypted = 'md5:' . $salt . ':' . md5( $salt . $password ) // example: md5:71688:0ce43474167f743b7b92d046ae970801

You can simply use the YOURLS salted hash generator.

The key=>value associations with encrypted passwords shall now look like the following: 

$yourls_user_passwords = array(
	'joe' => 'md5:71688:0ce43474167f743b7b92d046ae970801',
);

The user will still log in using joe as a username and MyPassword as a password, but this password is no longer written down anywhere in the config file.

Benefits of both methods

Storing your password in clear text is quicker, for instance when you want to create a temporary access to someone. Also, since your password is stored in clear text, when you forget it, simply view your config.php and you'll read it.

Storing your password as a salted hash is more secure: if someone has access to your config.php, they won't be able to determine what your password is and won't be able to log in your setup. The drawback is that if you forget your own password, you cannot retrieve it. Simply generate a new one and update your config.php.

----

Comment by blausand...@gmail.com, Sep 10, 2011

VERY useful and important. Should add a way to avoid MySQL password as well, as most implementors might have signed for a single MySQL database for all their web projects.

Comment by project member ozh...@gmail.com, Sep 11, 2011

That's unfortunately not possible.

Comment by fjhortel...@gmail.com, Sep 13, 2011

The encryption isn't working for me... Everytime I encrypt my password, Yourls doesn't recognize it when I try to login. I've already tried different passwords and none of them worked.

Comment by project member ozh...@gmail.com, Sep 13, 2011

fjhortel and others: requires 1.5.1 (ie a nightly build atm)

Comment by fjhortel...@gmail.com, Sep 15, 2011

Thank you ozh, I downloaded the latest version from svn and it is working now.

Comment by rainer.r...@gmail.com, May 10 (6 days ago)

where to download the latest php scrips version 1.5.1, is there a bundle zip already?


Sign in to add a comment
Powered by Google Project Hosting