ryanz Posted December 16, 2018 Share Posted December 16, 2018 (edited) Hi everyone, I've searched and noticed this topic has been discussed before but I'm sorry to say the new solution in WHMCS 7.5+ is still not good enough. https://whmcs.community/topic/280081-hosting-password/?tab=comments#comment-1269461 In today's world, we need to have proper Strong Passwords to maximize the security of hosting accounts, FTP, DB, Mailboxes etc. For example in Plesk and cPanel these password security matters have been taken seriously but in WHMCS still not yet. In Plesk, there are 5 levels of password strength: 1. Very Weak: These passwords are typically short and use only one type of characters (lower or upper-case characters or digits). Example: password. This security level prevents simplest password-guessing attacks. 2. Weak: These passwords are typically short and mostly use one type of characters (lower or upper-case characters or digits) with a couple of characters of a different type. Example: password12. These passwords provide basic protection from password guessing. 3. Medium: These passwords are typically short and contain characters of at least two types (lower or upper-case characters, digits, or special characters). Example: Password12. Such passwords provide reliable protection from attacks that capture passwords. 4. Strong: These passwords are at least 8 characters long and have at least one occurrence of upper and lower-case characters, digits, and special characters. Example: P@ssw0rd12. Such passwords provide strong protection from brute-force attacks. 5. Very strong: These passwords are at least 16 characters long and include multiple occurrences of upper and lower-case characters, digits, and special characters. Example: ~!my_P@$$w0rD123. Such passwords provide the best possible protection, though they are rather hard to remember. If you use Plesk (set to Strong passwords) with WHMCS (passwords, letters, numbers, special characters) you simply cannot get an account automatically created in Plesk because the WHMCS passwords are too weak. I did a test with WHMCS on my system, it creates long 14 character passwords but the mixture of upper, lower, numbers and characters is very simple and weak - no use of # or some other characters noticed. The only way o get this to work is to set Plesk to Medium passwords, and this leaves the server open to lower strength passwords which can have major consequences because we all know users are "lazy" and choose simple passwords that are easily hacked. Please please please WHMCS, improve your Auto Generated Passwords, or add a section where we can define the passwords to be used in more detail. Edited December 16, 2018 by ryanz 0 Quote Link to comment Share on other sites More sharing options...
Kian Posted December 16, 2018 Share Posted December 16, 2018 In the meantime you can think of overriding the password generated by WHMCS with a better one with an action hook. 0 Quote Link to comment Share on other sites More sharing options...
ryanz Posted December 16, 2018 Author Share Posted December 16, 2018 Thanks for the reply, I've never worked with an action hook. Can someone explain how to do it in this case, thanks. 0 Quote Link to comment Share on other sites More sharing options...
Kian Posted December 16, 2018 Share Posted December 16, 2018 Create a file named for example StrongPasswordGenerator.php in includes/hooks directory. Here's the content: <?php use WHMCS\Database\Capsule; function hook_StrongPasswordGenerator($vars) { $password = substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-=+?'), 0, $length = '10'); Capsule::table('tblhosting')->where('id', $vars['params']['serviceid'])->update(['password' => Encrypt($password)]); } add_hook('PreModuleCreate', 1, 'hook_StrongPasswordGenerator'); Before WHMCS generates the service, this script will override the default password with a stronger one. Of course I suggest you to change the function that generates the password because the one I used is not that great. I posted the script just to provide an example. 0 Quote Link to comment Share on other sites More sharing options...
Andrea D. Posted October 19, 2021 Share Posted October 19, 2021 On 12/16/2018 at 6:58 PM, Kian said: Create a file named for example StrongPasswordGenerator.php in includes/hooks directory. Here's the content: <?php use WHMCS\Database\Capsule; function hook_StrongPasswordGenerator($vars) { $password = substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-=+?'), 0, $length = '10'); Capsule::table('tblhosting')->where('id', $vars['params']['serviceid'])->update(['password' => Encrypt($password)]); } add_hook('PreModuleCreate', 1, 'hook_StrongPasswordGenerator'); Before WHMCS generates the service, this script will override the default password with a stronger one. Of course I suggest you to change the function that generates the password because the one I used is not that great. I posted the script just to provide an example. Hello i have tested this script but it seems that WHMCS will save as password the generated one. BUT virtualizor will create a vps with the password choosed by the user. Is there any way you can fix it? Thank you 0 Quote Link to comment Share on other sites More sharing options...
websavers Posted December 31, 2022 Share Posted December 31, 2022 Here's an example of how we built it for the Plesk module here: https://github.com/websavers/WHMCS-Plesk-Fixes-Module/blob/master/plesk_fixes/hooks.php The gist is you also need to return the password back to the PreModuleCreate function so that it uses it during creation of the account, like this: return array( 'password' => $password ); 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.