diff --git a/README.md b/README.md index 5052d916b..53702bc4b 100644 --- a/README.md +++ b/README.md @@ -73,6 +73,12 @@ You can initially modify the settings in `settings.json`. (If you need to handle You should use a dedicated database such as "mysql", if you are planning on using etherpad-in a production environment, since the "dirtyDB" database driver is only for testing and/or development purposes. +## Secure your installation +If you have enabled authentication in `users` section in `settings.json`, it is a good security practice to **store hashes instead of plain text passwords** in that file. This is _especially_ advised if you are running a production installation. + +Please install [ep_hash_auth plugin](https://www.npmjs.com/package/ep_hash_auth) and configure it. +If you prefer, `ep_hash_auth` also gives you the option of storing the users in a custom directory in the file system, without having to edit `settings.json` and restart Etherpad each time. + ## Plugins and themes Etherpad is very customizable through plugins. Instructions for installing themes and plugins can be found in [the plugin wiki article](https://github.com/ether/etherpad-lite/wiki/Available-Plugins). diff --git a/settings.json.template b/settings.json.template index 800a1f341..9314ebf97 100644 --- a/settings.json.template +++ b/settings.json.template @@ -289,15 +289,21 @@ * * is_admin = true gives access to /admin. * If you do not uncomment this, /admin will not be available! + * + * WARNING: passwords should not be stored in plaintext in this file. + * If you want to mitigate this, please install ep_hash_auth and + * follow the section "secure your installation" in README.md */ /* "users": { "admin": { + // "password" can be replaced with "hash" if you install ep_hash_auth "password": "changeme1", "is_admin": true }, "user": { + // "password" can be replaced with "hash" if you install ep_hash_auth "password": "changeme1", "is_admin": false }