In config.php, the variable $yourls_user_passwords shall contain an array of usernames and passwords. In YOURLS 1.5.1+ these passwords can be stored as plain text, or encrypted hashes.

Using plain text passwords

Save your config file with an array of simple key=>value associations like the followings:

One login/password:

$yourls_user_passwords = array(
	'joe' => 'MyPassword',
);

You can of course define two or more login/passwords pairs:

$yourls_user_passwords = array(
	'joe' => 'MyPassword',
	'Randall' => 'correct horse battery staple',
	'leetboy' => 'h3ll0w0rld!',
	'api' => 'passwordfortheapi'
);

Using encrypted salted passwords

Instead of storing your password as clear text, you can encrypt it using a salted hash of the following structure:

md5:< salt of 5 digits >:< md5 of salt + password >

A PHP example to generate an encrypted password would be:

$password = 'MyPassword';
$salt = rand( 10000, 99999 ); // example: 71688
$encrypted = 'md5:' . $salt . ':' . md5( $salt . $password ) // example: md5:71688:0ce43474167f743b7b92d046ae970801

You can simply use the YOURLS salted hash generator.

The key=>value associations with encrypted passwords shall now look like the following:

$yourls_user_passwords = array(
	'joe' => 'md5:71688:0ce43474167f743b7b92d046ae970801',
);

The user will still log in using joe as a username and MyPassword as a password, but this password is no longer written down anywhere in the config file.

Benefits of both methods

Storing your password in clear text is quicker, for instance when you want to create a temporary access to someone. Also, since your password is stored in clear text, when you forget it, simply view your config.php and you'll read it.

Storing your password as a salted hash is more secure: if someone has access to your config.php, they won't be able to determine what your password is and won't be able to log in your setup. The drawback is that if you forget your own password, you cannot retrieve it. Simply generate a new one and update your config.php.

----