Security questions on password reset.

[Chris74]

I would like to disable the need to answer the security question when resetting a password. Unfortunately this is never going to work properly unless the answer is a single, lower case word. In nearly all cases, the customer cannot remember exactly what they typed in and in what case. It's not meant to be a password, but WHMCS have implemented it exactly as if it were!

 

The secret question option is very good for manual / verbal verification - we can ask the customer over the phone, or on live chat for the answer to their question in order to verify their details - so I'd like to keep this running, but it's completely useless when used with the password reset option.

 

Asking someone to remember an exact sentence as if it were a password and to type that in exactly how it was originally typed, in the exact case? Completely stupid! Punctuation, capitalisation, extra spaces, different words used, plural or singular - all things that can be very easily forgotten, missed etc. To be brutally honest, this is so badly thought out it's an embarrassment for WHMCS. It should either be restricted to a single word, lower case answer - or disabled completely!

 

Do you know if it is possible to disable the security question, just for the password reset? is it a case of simply editing the template? If not, I guess it would be easy enough to simply disable the security question option completely and then add a custom field for this instead.

 

I've looked around but I can't find any instructions for cleaning this out completely - i.e disable the security questions and purge the questions and associated client answers from the database. Does anyone know the database fields names without me having to go digging?

 

Thanks in advance.

[brian!]

Hi Chris,

 

Do you know if it is possible to disable the security question, just for the password reset? is it a case of simply editing the template? If not, I guess it would be easy enough to simply disable the security question option completely and then add a custom field for this instead.

I think the simpler solution would be to add a client custom field - that should also give you more flexibility with regards to using regular expressions to ensure the answer is in a format you want.

 

its probable that even if you could tweak the template to not ask the security question, it will be required somewhere by one of the encoded files and it's absence will prevent the reset from working.

 

I've looked around but I can't find any instructions for cleaning this out completely - i.e disable the security questions and purge the questions and associated client answers from the database. Does anyone know the database fields names without me having to go digging?

answers are stored in tblclients - "securityqid" and "securityqans"

 

I think for your purpose, the important one is "securityqid" as this stores the value of which question to ask - it is set to 0 for "None", 1 for the first option in the security question dropdown, 2 for the second etc...

 

if its value is zero, then the security question is not asked - so I would assume you could just use an SQL update command to reset the value... something possibly along the lines of the following, but double-check before using!

 

UPDATE tblclients SET securityqid = 0

resetting securityqid wouldn't remove the answers... perhaps you might want to keep the answers until you have the custom field setup and populated... these values are encrypted in the database, but you should still be able to view them in the client's profile.

 

security questions are at - setup -> other -> security questions

 

I haven't tried this, but its possible that just removing the questions might be enough - it'll either work or WHMCS will attempt to ask a question that no longer exists... neither would surprise me!

[Chris74]

Thanks Brian - very much appreciated.