Jump to content

Stronger Passwords for Hosting Modules


ryanz

Recommended Posts

Hi everyone,

I've searched and noticed this topic has been discussed before but I'm sorry to say the new solution in WHMCS 7.5+ is still not good enough.

https://whmcs.community/topic/280081-hosting-password/?tab=comments#comment-1269461

In today's world, we need to have proper Strong Passwords to maximize the security of hosting accounts, FTP, DB, Mailboxes etc.

For example in Plesk and cPanel these password security matters have been taken seriously but in WHMCS still not yet.

In Plesk, there are 5 levels of password strength:

1. Very Weak: These passwords are typically short and use only one type of characters (lower or upper-case characters or digits). Example: password. This security level prevents simplest password-guessing attacks.

2. Weak: These passwords are typically short and mostly use one type of characters (lower or upper-case characters or digits) with a couple of characters of a different type. Example: password12. These passwords provide basic protection from password guessing.

3. Medium: These passwords are typically short and contain characters of at least two types (lower or upper-case characters, digits, or special characters). Example: Password12. Such passwords provide reliable protection from attacks that capture passwords.

4. Strong: These passwords are at least 8 characters long and have at least one occurrence of upper and lower-case characters, digits, and special characters. Example: P@ssw0rd12. Such passwords provide strong protection from brute-force attacks.

5. Very strong: These passwords are at least 16 characters long and include multiple occurrences of upper and lower-case characters, digits, and special characters. Example: ~!my_P@$$w0rD123. Such passwords provide the best possible protection, though they are rather hard to remember.

If you use Plesk (set to Strong passwords) with WHMCS (passwords, letters, numbers, special characters) you simply cannot get an account automatically created in Plesk because the WHMCS passwords are too weak.

I did a test with WHMCS on my system, it creates long 14 character passwords but the mixture of upper, lower, numbers and characters is very simple and weak - no use of # or some other characters noticed.

The only way o get this to work is to set Plesk to Medium passwords, and this leaves the server open to lower strength passwords which can have major consequences because we all know users are "lazy" and choose simple passwords that are easily hacked.

Please please please WHMCS, improve your Auto Generated Passwords, or add a section where we can define the passwords to be used in more detail.

 

Edited by ryanz
Link to comment
Share on other sites

Create a file named for example StrongPasswordGenerator.php in includes/hooks directory. Here's the content:

<?php

use WHMCS\Database\Capsule;

function hook_StrongPasswordGenerator($vars)
{
	$password = substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-=+?'), 0, $length = '10');
	Capsule::table('tblhosting')->where('id', $vars['params']['serviceid'])->update(['password' => Encrypt($password)]);
}

add_hook('PreModuleCreate', 1, 'hook_StrongPasswordGenerator');

Before WHMCS generates the service, this script will override the default password with a stronger one. Of course I suggest you to change the function that generates the password because the one I used is not that great. I posted the script just to provide an example.

Link to comment
Share on other sites

  • 2 years later...
On 12/16/2018 at 6:58 PM, Kian said:

Create a file named for example StrongPasswordGenerator.php in includes/hooks directory. Here's the content:


<?php

use WHMCS\Database\Capsule;

function hook_StrongPasswordGenerator($vars)
{
	$password = substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-=+?'), 0, $length = '10');
	Capsule::table('tblhosting')->where('id', $vars['params']['serviceid'])->update(['password' => Encrypt($password)]);
}

add_hook('PreModuleCreate', 1, 'hook_StrongPasswordGenerator');

Before WHMCS generates the service, this script will override the default password with a stronger one. Of course I suggest you to change the function that generates the password because the one I used is not that great. I posted the script just to provide an example.

Hello i have tested this script but it seems that WHMCS will save as password the generated one. BUT virtualizor will create a vps with the password choosed by the user.

Is there any way you can fix it?

 

Thank you

Link to comment
Share on other sites

  • 1 year later...

Here's an example of how we built it for the Plesk module here: https://github.com/websavers/WHMCS-Plesk-Fixes-Module/blob/master/plesk_fixes/hooks.php

The gist is  you also need to return the password back to the PreModuleCreate function so that it uses it during creation of the account, like this:

return array( 'password' => $password );

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated