Jump to content

[NOT A BUG] WHMCS & Password secure?

mpkossen

By mpkossen
in General Discussion

 Share

Recommended Posts

mpkossen Junior Member

mpkossen

Posted
Posted (edited)

It occured to me what WHMCS sends passwords to people. Not only is this a security risk in itself, it also means that passwords in the database are not secure in a sense that they can be decoded back to a normal password (a sha1-encoded password virtually cannot be decoded) even though they are encrypted in the database.

 

I'm wondering why WHMCS sends passwords and why then can be decoded?

Edited by Matt
0
Link to comment
Share on other sites
  • WHMCS Support Manager
WHMCS John Senior Member

WHMCS John

Posted
  • WHMCS Support Manager
Posted

If you don't want to email passwords to clients then remove the field from the email template (Setup > Email Templates > Edit). Only hosting account passwords are stored in a reversable manner by default unless you disable the MD5 client passwords under Setup > General Settings > Security Tab.

0
Link to comment
Share on other sites
mpkossen Junior Member

mpkossen

Posted
  • Author
Posted (edited)

I've removed it from the templates already. Thanks for the tip, though :)

 

I'm really sorry, I've just noticed that MD5-passwords can only be disabled via the admin area and that it resets all passwords. Would the template field have worked with MD5-encrypted passwords? Or would it have been empty?

Edited by mpkossen
0
Link to comment
Share on other sites
laszlof Senior Member

laszlof

Posted
Posted

To clarify a little bit, the client area password, even with MD5 enabled, will get emailed. However, it is emailed before it is actually encrypted and entered into the database. As John stated, you can simply remove the password from the email templates if you do not wish for your clients to receive them.

 

That being said, I wrote a "secure password reset" module that basically removes the need to include client area passwords within the templates. It basically takes the normal password reset function, and makes it a bit more secure. When you receive the password reset email, it redirects you to another page where you can enter your new password. It never actually will get sent to you after this is done. The current way the password reset works is, when you click on the reset link in the email, it will send you a temporary password within another email.

 

I'll probably release this as a free module here shortly once I've had time to work out any potential bugs. We've been using it in production for a few weeks now without any major problems.

0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept