Jump to content

How to make WHMCS generate more complex passwords for services?


postcd

Recommended Posts

Hello,

WHM complain the password WHMCS generated for the new cpanel hosting account is too weak.

How do i please increase generated passwords complexity?

I only found following configurable option which i assume is for the client area password only?

Required Password Strength - Enter the required password strength from 1 to 100 - Enter 0 to Disable

Similar, unanswered & closed topic

Link to comment
Share on other sites

I think a more recent thread on this would be the one below....

there is going to be a password generator for all passwords in v7.8...

Quote

FEATURE-1653 - Add automated password generator to all password input fields client side

New functionality has been made available for all password input fields within the client area that enables clients to have a password automatically generated and filled into the field. The automatic password generation is intended to help encourage the use of secure passwords with a default length of 12 characters and containing a mix of letters, numbers and symbols.

now I don't know if you can set a specific strength for it in the admin settings (i'm not testing the beta on principle), but as Kian says in the above thread, the strength is determined by the js and can be changed with coding if required.

Link to comment
Share on other sites

My WHMCS version is 6.3.2. I checked modules/servers/cpanel files and found a js but inside is not anything about password generator. How do i change that password quality in WHMCS 6?

I am OK witch manually adding like 4 static characters to each password. I just do not know what to modify in which file. Can you please advise the file and the steps? I am not a coder, but have basic orientation in the code.

Link to comment
Share on other sites

14 minutes ago, postcd said:

My WHMCS version is 6.3.2. I checked modules/servers/cpanel files and found a js but inside is not anything about password generator. How do i change that password quality in WHMCS 6?

i'll have to get my head in v6 mode... I hardly get asked to do anything with v6 any more, so my head defaults to v7 mode.

which template and orderform are you using ?

Link to comment
Share on other sites

1 hour ago, postcd said:

thank you, it is old "default" (WHMCS 5) kind of style, and "verticalsteps" order form template.

ok, that's a little awkward as by the time they got to releasing v6.3.2, both "default" and "verticalsteps" were no longer shipped with WHMCS - so my v6.3.1 dev was a clean install back in 2016 and doesn't have the default template folder (you will only have it because you upgraded from a previous version) - it shipped with only "five" and "six".... nor would it have "verticalsteps" either.

so i've used the 6.2.2 dev as that does have a default folder with vertical steps... and can I say, it was an absolute pain in the proverbial to find any sort of solution that would work with it - any recent coding technique I tried would fail, so I had to keep going further back in time to older techniques... I was slowly losing the will to live. fou6.gif

what i've done is added a password generator to the configureproduct page - it's not testing strength, but it's generating passwords that I suspect should probably pass the cPanel tests... I might be tempted to remove similar characters, e.g l 1 & I from the character options, but I can leave that to you if you think it's going to be an issue that could cause confusion.

i've changed the field from a password field to a text field (that's just so the user can get the generated password) and i've made the field readonly - which simplifies things as it will force them to use the generator and not enter a password manually.

F9UsaQm.png

i've commented in the code where i've made changes, but it's basically:

  1. JS  code towards the top of the page.
  2. the form has been given a name.
  3. the changes to the password field.

as I said previously, this is the v6.2.2 version of the verticalsteps configureproduct.tpl template so I wouldn't suggest doing an overwriting upload - just compare your current version of the template to this one and manually add the 3 changes.

configureproduct.tpl

Link to comment
Share on other sites

Thank You for your effort @brian!. I have used your code, but i had to also make an adjustment - in order for the orderform to accept the password, i had to replace "output" by "rootpw" in the password text field code and also "output" by "rootpw" in the javascript code. (if anyone interested here i describe changes i made in my templates/orderforms/verticalsteps/configureproduct.tpl based on Brian! file attached above)

RESULT: It worked only when i tried to generate password and order server. It generated and saved 12 characters long password. But when i tried to order cpanel hosting account, there was no prompt to generate or enter password and inside admin area i see the password is only 10 characters long, not 12 as set by Brian! javascript. 🤔 Any idea how to generate more complex/longer password for cpanel products or how to show password generating field during its order? UPDATE: i see i editted inside "{if $productinfo.type eq "server"}" section, that is why, but do not see other password field code in the file that would be applicable to non-server products..

Also while researching i found that the password may be also generated using PHP (i think PHP in templates have to be allowed somewhere in WHMCS settings), the php based generator may look like this:

<input type="hidden" name="rootpw" size="20" value="{php}$rdmpw = substr(md5(rand().rand()), 0, 15); echo $rdmpw;{/php}" />

15 = length, i bet it is using only alphanumeric

Edited by postcd
Link to comment
Share on other sites

14 hours ago, postcd said:

Thank You for your effort

just when I thought I was safe from another day in v6.2.2 🦈

14 hours ago, postcd said:

RESULT: It worked only when i tried to generate password and order server.

in fairness, I only focussed on servers - I was probably so relieved to get that working, I retired after that for a lie down. 🙂

14 hours ago, postcd said:

But when i tried to order cpanel hosting account, there was no prompt to generate or enter password and inside admin area i see the password is only 10 characters long, not 12 as set by Brian! javascript. 🤔 Any idea how to generate more complex/longer password for cpanel products or how to show password generating field during its order? UPDATE: i see i editted inside "{if $productinfo.type eq "server"}" section, that is why, but do not see other password field code in the file that would be applicable to non-server products..

aren't the passwords autogenerated for cPanel products anyway - the client never gets asked to add their own ?? that's what i'm seeing looking at vertical steps... and it's still the case in v7.7.1 with standard_cart.

possibly you could generate a stronger password with a hook, but there's no chance of me writing a hook for a 4 year old - i'd have to visit archive.org for the old WHMCS documetnation for 2015 and see what the hook conditions were back then and that's not going to happen.

14 hours ago, postcd said:

Also while researching i found that the password may be also generated using PHP (i think PHP in templates have to be allowed somewhere in WHMCS settings),

though using {php} is frowned upon in WHMCS - and is nearly always unnecessary.

14 hours ago, postcd said:

15 = length, i bet it is using only alphanumeric

that could be rewritten in Smarty without the need for {php} tags...

<input type="text" name="rootpw" size="20" value="{substr(md5(mt_rand()), 0, 15)}" />

though I wouldn't consider the results to be a strong password.

Link to comment
Share on other sites

so in short, passwords for server kind of WHMCS products can be generated on order form, but password for WHMCS cpanel products can not? WHMCS does not looking for any user input that can be saved as a password of the ordered cpanel kind of product? Thus it will not help me to try to copy that password text field to various places of the configureproduct.tpl  or any other files?

Edited by postcd
Link to comment
Share on other sites

1 hour ago, postcd said:

so in short, passwords for server kind of WHMCS products can be generated on order form, but password for WHMCS cpanel products can not?

correct.

1 hour ago, postcd said:

WHMCS does not looking for any user input that can be saved as a password of the ordered cpanel kind of product?

for cPanel products, the user is never asked for a password during ordering... and AFAIK, never has been.

1 hour ago, postcd said:

Thus it will not help me to try to copy that password text field to various places of the configureproduct.tpl  or any other files?

no.

shall I give you the obligatory 6 year feature request ?

Quote

During product or service check out allow users to enter their own password. Then check password against standard security password guidelines that the administrator has select or is industry recommended.

6 years, 43 votes and still "Under Consideration"... don't expect it any time soon.

Link to comment
Share on other sites

  • 1 year later...

I have a customer who doesn't know his password and because we're using a Wordpress bridge we can't reset his password... as a quick solution I wanted to replace his password with a password we know but im not sure how to generate the hashed password to place it in phpmyadmin like interface. 

Meanwhile I am working on fixing the main issue with WordPress.

Link to comment
Share on other sites

8 hours ago, cmshosting said:

I have a customer who doesn't know his password and because we're using a Wordpress bridge we can't reset his password... as a quick solution I wanted to replace his password with a password we know but im not sure how to generate the hashed password to place it in phpmyadmin like interface. 

on which WHMCS version? I would have thought if it were pre-v8, you should still be able to reset a client password in the admin area.

Link to comment
Share on other sites

  • 4 months later...
  • 1 month later...

When a new hosting account is created, WHMCS generates just a 10-character alphanumeric password that is no longer strong enough these days. We've seen a huge increase of distributed brute force attacks this year and many cPanel accounts were hacked because of their weak passwords.

Link to comment
Share on other sites

  • 10 months later...

Today WHMCS generates random passwords for new services consisting only of letters and numbers.
This request is about implementing a stronger random password generation routine to WHMCS that will generate passwords containing special characters such as !$%( as-well.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated