ravex Posted December 17, 2016 Share Posted December 17, 2016 With the Yahoo megabreach that has been announced this week, along with the information that Yahoo were only securing the passwords with MD5, as well as the numerous other breaches of huge companies that have been in the news over the last few years, and knowing that MD5 has been fundamentally broken, even using a salt, for more than 15 years now, is it not worth WHMCS, the company, starting to investigate and implement a new password hashing algorithm, say argon2, PBKDF2 or even bcrypt, for both the client and admin areas of WHMCS, the product? 0 Quote Link to comment Share on other sites More sharing options...
xyzulu Posted December 17, 2016 Share Posted December 17, 2016 Could this be a new feature request perhaps? https://requests.whmcs.com/ 0 Quote Link to comment Share on other sites More sharing options...
twhiting9275 Posted December 18, 2016 Share Posted December 18, 2016 Yeah, this is more for a feature request. This might make sense, but it'd get really ugly with the way that other material is encrypted as well, given that WHMCS uses the same functionality for almost everything there. 0 Quote Link to comment Share on other sites More sharing options...
WHMCS Nate Posted December 19, 2016 Share Posted December 19, 2016 Hello Ravex, When you speak about how WHMCS handles passwords its easy to get some very different concepts mixed up. WHMCS has two types of user accounts where it serves is what authenticates users (client users & admin users. WHMCS also stores the authentication details for various services it needs to connect to including some that are strait forward passwords. In the case where you authenticate against WHMCS, we store a password hash, never the password itself. In the authentication details storage case, we need to use symmetrical encryption that allows us to decrypt passwords. MD5 was a commonly used hashing method, it has never been used as symmetrical encryption method. You asked about the first topic and WHMCSGuru link is related to the second topic. We stopped using MD5 to store hashed passwords for admins in 5.3.9 and updated client passwords to a new storage method in 6.3.0. You can read more here: http://docs.whmcs.com/Admin_Password_Hashing http://docs.whmcs.com/Version_6.3.0_Release_Notes Given the recent yahoo disclosure, I understand concern about using MD5 for password hashing, however I can assure you that it is not how we store details in the product. Have a great day, Nate C 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.