WHMCS Password Security

[markb1439]

Hi,

 

In the WordPress community there is a lot of buzz over the iThemes security breach, which was made worse because passwords were stored in plain text.

 

How does WHMCS handle passwords (including users' passwords for their client area accounts, and cPanel login credentials)? Even if they are stored encrypted, is an unencrypted version stored in client e-mails that are sent (since e-mails are stored in the database)?

 

That brings up another issue, the fact that the initial passwords are sent in plain text in e-mail.

 

So...how safe are passwords in WHMCS? Are we storing clients' passwords in plain text? And, if so, how can we stop?

 

Thanks,

 

Mark

[malfunction]

As far as I know (and check your own database to be sure), all passwords are hashed or encrypted these days.

 

However I think you're absolutely right to question what is sent in emails. I've raised this here in the past but got little support, seems people are more interested convenience than security. Best practice dictates that passwords are NEVER sent by email and NEVER displayed to the user, but that is not what WHMCS does

 

While you can chop most of the offending passwords out of the various email templates I don't think it's possible to get them all and ftp passwords are still displayed in the hosting details area.

[mdemaree]

This needs fixing.

[satsuke]

If you aware, just setup Two Factor Auth.

[adroitssd]

WHMCS should enabled built in 2 factor auth for client and admin panel.

[merlinpa1969]

NM I misread

Edited October 20, 2014 by merlinpa1969
misread

[durangod]

if you dont want to use the two factor i guess you could edit the template to base64 encode it and then have the customer run a special php file from your domain, and copy and paste their code into it.

 

Then you will decode it for them and show them the result. This would at least give it some obfuscation and might even show the client that your serious about security. But then again it might make them mad to have to go thru all that to get started. People are fussy thats for sure and fickle too sometimes lol as well as anyone can decode base 64 but its something.

 

Remember these kinds of things are done to stop the masses not the elite. If elite wants your stuff, not much you can do, everyone is vulnerable. But the general masses is what most things are written to block.

Edited October 20, 2014 by durangod

[merlinpa1969]

or just remind people that this is a TEMPORARY password and since its sent in general email should be considered unsafe and needs to be changed IMMEDIATLY upon receipt.

[satsuke]

WHMCS should enabled built in 2 factor auth for client and admin panel.

 

WHMCS should consider this:

 

https://requests.whmcs.com/responses/two-factor-authentication-with-email

 

It'll be much better.

[durangod]

Make it simple, one pw for everyone, or even just like a ssn you get one pw for life lmao... kidding of course.... we dont need no stinkin pw's lol..

[satsuke]

Make it simple, one pw for everyone, or even just like a ssn you get one pw for life lmao... kidding of course.... we dont need no stinkin pw's lol..

What's wrong? We still can use "Remember This Computer" unless cookies been deleted.

[sychern]

I received an email with my password in ********ab. It would be better than exposed all chars.