How to mass reset client password using PhpMyAdmin (BUG or not a BUG)

[zitu4life]

Hello there

Is it possible to reset all clients password using PhpMyAdmin send a query to tblclients?

I am looking if I could generate random password for all clients, to ensure if there any client login with no password, I will automatically create one...
When you create clients on admin side, it will allow you not set a password (perhaps it is bug), but WHMCS works like this 😪. So if I reset all password when some client tries to login he will be enforce to request one password reset from client area page.

In general all my clients do not login to their client area, so no problem with that. As for the future months they will start logged-in more frequently, that is why I want to MASS RESET, and ensure more safety.

PS: I do not need to send new password reset to client at this moment by email , it is just a silent reset from admin side.

Edited May 11, 2020 by zitu4life
edit title

[zitu4life]

Let me show steps reproduced to see if it is a BUG (actually only WHMCS will definitely decide if it is or not)

1- Add a client and leave email address empty.
We receive Validation Error, that is OK

 

2- Add a client and insert email, but leave password empty

3 - After click save, client add with success, with no password 🤪

 

4 - go to client area and try to login just inserting email address

 5 - Congratulations, we are in 😬

[Kian]

If you are masquerade as admin, you can login to any account just using the email. It doesn't matter what tblclients.password says, the login always works. You can double-check it by performing the same action when you are NOT logged as admin.

As for customers having an empty tblclients.password, you could use an hook like this one but read the notes below.

<?php

use WHMCS\Database\Capsule;

add_hook('DailyCronJob', 1, function($vars)
{
    $Data = Capsule::select(Capsule::raw('SELECT id FROM tblclients WHERE password = ""'));

    foreach ($Data as $v)
    {
        localAPI('ResetPassword', array('id' => $v->id), $adminUsername);
    }

});

With daily cron of WHMCS I select all clients with an empty password and perform the ResetPassword API command. The funny thing is that I have no idea of what ResetPassword actually does. I mean it returns "successful" but nothing changes in tblclients.password 🤨

[brian!]

1 hour ago, zitu4life said:

I am looking if I could generate random password for all clients, to ensure if there any client login with no password, I will automatically create one...

but if a client has no password, and assuming they know their email address, they can reset it themselves can't they ?

if you create a new password (or get WHMCS to do it for you), then you will have to tell the client - so you are going to email their password to them openly??

1 hour ago, zitu4life said:

When you create clients on admin side, it will allow you not set a password (perhaps it is bug), but WHMCS works like this 😪

I wouldn't consider that a bug - by your own admission, most of your clients don't need passwords as they won't login.

1 hour ago, zitu4life said:

In general all my clients do not login to their client area, so no problem with that. As for the future months they will start logged-in more frequently, that is why I want to MASS RESET, and ensure more safety.

somewhere in the back of my mind, someone from WHMCS posted something about bulk resetting passwords - though can't remember if it was service or client passwords... I would suspect sometime in 2018 or 2017... possibly after a hack or a security issue.

20 minutes ago, Kian said:

As for customers having an empty tblclients.password, you could use an hook like this one but read the notes below.

I don't think that will work in the sense that I have client accounts in the devs that definitely don't have any passwords (I don't add them when creating new accounts), but that password field in the database isn't empty... it is for one or two, but not the rest.

24 minutes ago, Kian said:

The funny thing is that I have no idea of what ResetPassword actually does. I mean it returns "successful" but nothing changes in tblclients.password 🤨

it doesn't enter a password into the table, I think it just tries to send the password reset email to the client.

[zitu4life]

Thinking better, it should not be a BUG, as @Kian said I was login somehow  masquerade as admin, that is why I could not need to insert password.

I have tried log out from admin and try login again just inserting email and it not allowed me (for same client without password created)...Perhaps somehow WHMCS is setting an random password to client even if as admin I do not set it a password, if it is true it is good for security reason, and that is what I would expect this behavior by  the system, or if not prompt with a validation password missing before create an account.

I can not confirm, but I think now that WHMCS setts random password to a client if added by admin and if password not provided. 

 

 

Edited May 11, 2020 by zitu4life
add a picture and answer Brian question. Yes and NO