postcd Posted August 7, 2019 Share Posted August 7, 2019 Hello, WHM complain the password WHMCS generated for the new cpanel hosting account is too weak. How do i please increase generated passwords complexity? I only found following configurable option which i assume is for the client area password only? Required Password Strength - Enter the required password strength from 1 to 100 - Enter 0 to Disable Similar, unanswered & closed topic 0 Quote Link to comment Share on other sites More sharing options...
brian! Posted August 7, 2019 Share Posted August 7, 2019 I think a more recent thread on this would be the one below.... there is going to be a password generator for all passwords in v7.8... Quote FEATURE-1653 - Add automated password generator to all password input fields client side New functionality has been made available for all password input fields within the client area that enables clients to have a password automatically generated and filled into the field. The automatic password generation is intended to help encourage the use of secure passwords with a default length of 12 characters and containing a mix of letters, numbers and symbols. now I don't know if you can set a specific strength for it in the admin settings (i'm not testing the beta on principle), but as Kian says in the above thread, the strength is determined by the js and can be changed with coding if required. 0 Quote Link to comment Share on other sites More sharing options...
postcd Posted August 7, 2019 Author Share Posted August 7, 2019 My WHMCS version is 6.3.2. I checked modules/servers/cpanel files and found a js but inside is not anything about password generator. How do i change that password quality in WHMCS 6? I am OK witch manually adding like 4 static characters to each password. I just do not know what to modify in which file. Can you please advise the file and the steps? I am not a coder, but have basic orientation in the code. 0 Quote Link to comment Share on other sites More sharing options...
brian! Posted August 7, 2019 Share Posted August 7, 2019 14 minutes ago, postcd said: My WHMCS version is 6.3.2. I checked modules/servers/cpanel files and found a js but inside is not anything about password generator. How do i change that password quality in WHMCS 6? i'll have to get my head in v6 mode... I hardly get asked to do anything with v6 any more, so my head defaults to v7 mode. which template and orderform are you using ? 0 Quote Link to comment Share on other sites More sharing options...
postcd Posted August 7, 2019 Author Share Posted August 7, 2019 57 minutes ago, brian! said: which template and orderform are you using ? thank you, it is old "default" (WHMCS 5) kind of style, and "verticalsteps" order form template. 0 Quote Link to comment Share on other sites More sharing options...
brian! Posted August 7, 2019 Share Posted August 7, 2019 1 hour ago, postcd said: thank you, it is old "default" (WHMCS 5) kind of style, and "verticalsteps" order form template. ok, that's a little awkward as by the time they got to releasing v6.3.2, both "default" and "verticalsteps" were no longer shipped with WHMCS - so my v6.3.1 dev was a clean install back in 2016 and doesn't have the default template folder (you will only have it because you upgraded from a previous version) - it shipped with only "five" and "six".... nor would it have "verticalsteps" either. so i've used the 6.2.2 dev as that does have a default folder with vertical steps... and can I say, it was an absolute pain in the proverbial to find any sort of solution that would work with it - any recent coding technique I tried would fail, so I had to keep going further back in time to older techniques... I was slowly losing the will to live. what i've done is added a password generator to the configureproduct page - it's not testing strength, but it's generating passwords that I suspect should probably pass the cPanel tests... I might be tempted to remove similar characters, e.g l 1 & I from the character options, but I can leave that to you if you think it's going to be an issue that could cause confusion. i've changed the field from a password field to a text field (that's just so the user can get the generated password) and i've made the field readonly - which simplifies things as it will force them to use the generator and not enter a password manually. i've commented in the code where i've made changes, but it's basically: JS code towards the top of the page. the form has been given a name. the changes to the password field. as I said previously, this is the v6.2.2 version of the verticalsteps configureproduct.tpl template so I wouldn't suggest doing an overwriting upload - just compare your current version of the template to this one and manually add the 3 changes. configureproduct.tpl 0 Quote Link to comment Share on other sites More sharing options...
postcd Posted August 7, 2019 Author Share Posted August 7, 2019 (edited) Thank You for your effort @brian!. I have used your code, but i had to also make an adjustment - in order for the orderform to accept the password, i had to replace "output" by "rootpw" in the password text field code and also "output" by "rootpw" in the javascript code. (if anyone interested here i describe changes i made in my templates/orderforms/verticalsteps/configureproduct.tpl based on Brian! file attached above) RESULT: It worked only when i tried to generate password and order server. It generated and saved 12 characters long password. But when i tried to order cpanel hosting account, there was no prompt to generate or enter password and inside admin area i see the password is only 10 characters long, not 12 as set by Brian! javascript. 🤔 Any idea how to generate more complex/longer password for cpanel products or how to show password generating field during its order? UPDATE: i see i editted inside "{if $productinfo.type eq "server"}" section, that is why, but do not see other password field code in the file that would be applicable to non-server products.. Also while researching i found that the password may be also generated using PHP (i think PHP in templates have to be allowed somewhere in WHMCS settings), the php based generator may look like this: <input type="hidden" name="rootpw" size="20" value="{php}$rdmpw = substr(md5(rand().rand()), 0, 15); echo $rdmpw;{/php}" /> 15 = length, i bet it is using only alphanumeric Edited August 7, 2019 by postcd 0 Quote Link to comment Share on other sites More sharing options...
brian! Posted August 8, 2019 Share Posted August 8, 2019 14 hours ago, postcd said: Thank You for your effort just when I thought I was safe from another day in v6.2.2 🦈 14 hours ago, postcd said: RESULT: It worked only when i tried to generate password and order server. in fairness, I only focussed on servers - I was probably so relieved to get that working, I retired after that for a lie down. 🙂 14 hours ago, postcd said: But when i tried to order cpanel hosting account, there was no prompt to generate or enter password and inside admin area i see the password is only 10 characters long, not 12 as set by Brian! javascript. 🤔 Any idea how to generate more complex/longer password for cpanel products or how to show password generating field during its order? UPDATE: i see i editted inside "{if $productinfo.type eq "server"}" section, that is why, but do not see other password field code in the file that would be applicable to non-server products.. aren't the passwords autogenerated for cPanel products anyway - the client never gets asked to add their own ?? that's what i'm seeing looking at vertical steps... and it's still the case in v7.7.1 with standard_cart. possibly you could generate a stronger password with a hook, but there's no chance of me writing a hook for a 4 year old - i'd have to visit archive.org for the old WHMCS documetnation for 2015 and see what the hook conditions were back then and that's not going to happen. 14 hours ago, postcd said: Also while researching i found that the password may be also generated using PHP (i think PHP in templates have to be allowed somewhere in WHMCS settings), though using {php} is frowned upon in WHMCS - and is nearly always unnecessary. 14 hours ago, postcd said: 15 = length, i bet it is using only alphanumeric that could be rewritten in Smarty without the need for {php} tags... <input type="text" name="rootpw" size="20" value="{substr(md5(mt_rand()), 0, 15)}" /> though I wouldn't consider the results to be a strong password. 0 Quote Link to comment Share on other sites More sharing options...
postcd Posted August 8, 2019 Author Share Posted August 8, 2019 (edited) so in short, passwords for server kind of WHMCS products can be generated on order form, but password for WHMCS cpanel products can not? WHMCS does not looking for any user input that can be saved as a password of the ordered cpanel kind of product? Thus it will not help me to try to copy that password text field to various places of the configureproduct.tpl or any other files? Edited August 8, 2019 by postcd 0 Quote Link to comment Share on other sites More sharing options...
brian! Posted August 8, 2019 Share Posted August 8, 2019 1 hour ago, postcd said: so in short, passwords for server kind of WHMCS products can be generated on order form, but password for WHMCS cpanel products can not? correct. 1 hour ago, postcd said: WHMCS does not looking for any user input that can be saved as a password of the ordered cpanel kind of product? for cPanel products, the user is never asked for a password during ordering... and AFAIK, never has been. 1 hour ago, postcd said: Thus it will not help me to try to copy that password text field to various places of the configureproduct.tpl or any other files? no. shall I give you the obligatory 6 year feature request ? Quote During product or service check out allow users to enter their own password. Then check password against standard security password guidelines that the administrator has select or is industry recommended. 6 years, 43 votes and still "Under Consideration"... don't expect it any time soon. 1 Quote Link to comment Share on other sites More sharing options...
cmshosting Posted December 7, 2020 Share Posted December 7, 2020 I have a customer who doesn't know his password and because we're using a Wordpress bridge we can't reset his password... as a quick solution I wanted to replace his password with a password we know but im not sure how to generate the hashed password to place it in phpmyadmin like interface. Meanwhile I am working on fixing the main issue with WordPress. 0 Quote Link to comment Share on other sites More sharing options...
brian! Posted December 7, 2020 Share Posted December 7, 2020 8 hours ago, cmshosting said: I have a customer who doesn't know his password and because we're using a Wordpress bridge we can't reset his password... as a quick solution I wanted to replace his password with a password we know but im not sure how to generate the hashed password to place it in phpmyadmin like interface. on which WHMCS version? I would have thought if it were pre-v8, you should still be able to reset a client password in the admin area. 0 Quote Link to comment Share on other sites More sharing options...
TommyVaughn Posted April 16, 2021 Share Posted April 16, 2021 Over the past few years, password leaks have become more and more secure password practices for users and their hosting services. Upon clicking the button, a strong and secure password will be randomly generated. 0 Quote Link to comment Share on other sites More sharing options...
airfoxfive Posted May 19, 2021 Share Posted May 19, 2021 When a new hosting account is created, WHMCS generates just a 10-character alphanumeric password that is no longer strong enough these days. We've seen a huge increase of distributed brute force attacks this year and many cPanel accounts were hacked because of their weak passwords. 0 Quote Link to comment Share on other sites More sharing options...
tumenvid Posted April 4, 2022 Share Posted April 4, 2022 Today WHMCS generates random passwords for new services consisting only of letters and numbers.This request is about implementing a stronger random password generation routine to WHMCS that will generate passwords containing special characters such as !$%( as-well. 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.