Skip to content

Deprecate md5() and weak algos in passwordless API & normal login #460

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ozh wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Deprecate md5() and weak algos in passwordless API & normal login #460

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
aece1d9
Deprecate md5() and weak algos in passwordless API
ozh May 27, 2026
4285df9
Fix linting issues
yourls-bot[bot] May 27, 2026
e990bb6
Update docs/guide/advanced/passwordless-api.md
ozh May 28, 2026
5822d34
Don't promote md5 in config file
ozh May 28, 2026
4bdf265
Explain how to remove md5 passwords
ozh May 28, 2026
61cc3b9
Fix linting issues
yourls-bot[bot] May 28, 2026
f825170
Add redirects for md5 removal
LeoColomb May 28, 2026
901e0aa
Remove md5 pages and assets
LeoColomb May 28, 2026
adb8d0c
Revise signature token example and customization info
ozh May 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 11 additions & 21 deletions docs/guide/advanced/passwordless-api.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,11 @@ If you're worried about sending your credentials into the wild, you can also mak

Your secret signature token will be a string like `1002a612b4`

A secret signature token is unique, associated to one account, and can be used only for API requests. It cannot be used to log in your YOURLS setup. You will find it in the Tools page of your YOURLS install.
A secret signature token is unique, associated to one account, and can be used only for API requests. It cannot be used to
log in your YOURLS setup. You will find it in the Tools page of your YOURLS install.

**NB**: Can't see this signature on the Tools page? It's probably because your install is public. Therefore, you don't use a login and password to use it. Therefore there's no signature token to be used instead of a login/password pair.
**NB**: Can't see this signature on the Tools page? It's probably because your install is public. Therefore, you don't use a
login and password to use it. Therefore there's no signature token to be used instead of a login/password pair.

## Usage of the signature token

Expand All @@ -27,36 +29,24 @@ First, craft the time limited signature token:
```php
<?php
$timestamp = time();
$signature = md5( $timestamp . '1002a612b4' );
// Replace with your own secret signature token. Example result:
// $signature = "ed8d12124fc7916b00e3ecd7dc2c1d6a"
$signature = hash('sha256', $timestamp . '1002a612b4' );
// $signature = "10c28ab4a8b1b6acf3bef1a3e3284f4984d... (64 chars)"
?>
```

Now use parameters `signature` and `timestamp` in your API requests. Example:
By default, the hash must be one of `sha256`, `sha384` or `sha512`, unless explicitly allowed by a plugin via
the `allowed_hash_algos` filter.

`https://yoursite/yourls-api.php?timestamp=$timestamp&signature=$signature&action=...`
Now use parameters `signature`, `timestamp` and `hash` in your API requests. Example:

`https://yoursite/yourls-api.php?timestamp=$timestamp&signature=$signature&hash=sha256&action=...`

This URL would be valid for only 43200 seconds (12 hours), the default value of constant `YOURLS_NONCE_LIFE`.

To modify this duration, add the following to your `config.php`:
`define( 'YOURLS_NONCE_LIFE', number_of_seconds );`
(note this also affect all the internal links of YOURLS such as the ones to activate a plugin, delete a short URL, etc.)

### Use other hash algorithms than `md5`

From YOURLS 1.7.7 you can use any hash function instead of `md5()`. Simply add the `hash=<hash algo>` argument to your API request, for instance:

```php
<?php
$timestamp = time();
$signature = hash('sha512', $timestamp . '1002a612b4' );
// $signature = "10c28ab4a8b1b6acf3bef1a3e3284f4984d... (128 chars)"
?>
```

Now use `https://yoursite/yourls-api.php?timestamp=$timestamp&signature=$signature&hash=sha512&action=...`

**NB**: if you try to use a hash algorithm that your setup doesn't support, you will get a simple authentication error as if the timestamp or signature were incorrect.

## Reset your secret signature token
Expand Down
39 changes: 7 additions & 32 deletions docs/guide/essentials/credentials.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

In `config.php`, the variable `$yourls_user_passwords` shall contain an array of usernames and passwords.

To improve security and user experience, YOURLS 1.7+ **automatically encrypts** these passwords within your config file.
To improve security and user experience, YOURLS **automatically encrypts** these passwords within your config file.

## Editing login & passwords in `config.php`

Expand Down Expand Up @@ -33,7 +33,8 @@ $yourls_user_passwords = array(

## Password auto-encryption

Next time you'll run YOURLS, this array will be rewritten, replacing plain text passwords with encrypted and undecipherable hashes. If you check now your `config.php`, you should see something like:
Next time you'll run YOURLS, this array will be rewritten, replacing plain text passwords with encrypted and
undecipherable hashes. If you check now your `config.php`, you should see something like:

```php
<?php
Expand All @@ -44,10 +45,12 @@ $yourls_user_passwords = array(
);
```

User will still log in using `joe` as a username and `MyPassword` as a password, but this password is no longer written down anywhere in the config file.
User will still log in using `joe` as a username and `MyPassword` as a password, but this password is no longer written
down anywhere in the config file.

:::tip Nerd note:
We're using the Blowfish algorithm to encrypt passwords, an industry standard strong one-way hashing algorithm. This will hash your passwords so tight even the NSA will never be able to find out.
We're using PHP's default password hashing algorithm, Blowfish as of writing, an industry standard strong one-way hashing algorithm.
This will hash your passwords so tight even the NSA will never be able to find out.
:::

## FAQ
Expand All @@ -70,34 +73,6 @@ Storing your password as a crypted hash is more secure: if someone has access to

Simply edit your `config.php` and write a new password in clear text. Next time you'll load YOURLS, it will be encrypted again.

### Manual MD5 encryption

If you prefer, you can manually encrypt passswords using a MD5 salted hash of the following structure:

`md5:< salt of 5 digits >:< md5 of salt + password >`

A PHP example to generate an encrypted password would be:

```php
<?php
$password = 'MyPassword';
$salt = rand( 10000, 99999 ); // example: 71688
$encrypted = 'md5:' . $salt . ':' . md5( $salt . $password ) // example: md5:71688:0ce43474167f743b7b92d046ae970801
```

You can simply use the [YOURLS salted hash generator](https://yourls.org/md5).
Comment thread
LeoColomb marked this conversation as resolved.

Edit your `config.php` so that the `key => value` associations with encrypted passwords looks like the following:

```php
<?php
$yourls_user_passwords = array(
'joe' => 'md5:71688:0ce43474167f743b7b92d046ae970801',
);
```

Hashes using MD5 are slightly less secure than using native YOURLS encryption, but still way better than plain text passwords.

### I don't want to encrypt my password

If for some reason you'd rather keep your password unencrypted and in plain text in your config, simply add the following at the end of your `config.php`:
Expand Down