Can no longer reset client passwords

[mrtechnik]

On 4/02/2021 at 4:16 AM, Rahim said:

I have the same problem here where my client received forgot password reset email but no URL link in the email.

I too have the issue of no URL link in the reset email. I have a client that needs to get in to their account but can't because there is no link to click!

[WHMCS John]

Hello,

In v8.0 and above we introduced a significant update to the authentication and authorization system for accounts and users in WHMCS. Client Accounts no longer have passwords, authentication is now done via Users.

v8.0 and above intentionally does not expose or permit direct manipulations or display of User passwords via the UI or in emails. Instead an email-based invitation and reset process is used in line with current best-design and security practices. This paradigm is common to many modern SaaS systems.

If some users are unable to receive the reset email, your admins would assist the customer by updating their email address via the new "Users" tab to one which can receive emails. You can then send the password reset email to them also via the Users tab: https://help.whmcs.com/m/v80/l/1301340-where-is-the-reset-send-password-option

If no users are receiving the password reset email, then please follow these steps to troubleshoot email sending issues: https://help.whmcs.com/m/troubleshooting/l/1261469-troubleshooting-email-sending-problems

 

 

So that the Password Reset Validation email template contains the timed reset link, ensure it contains the relevant merge field:

<a href="{$reset_password_url}">Reset your password</a>

This is located at Configuration > System Settings > Email Templates

[mrtechnik]

Thank you for the explanation. The merge filed was incorrect which has now fixed the issue.

[brian!]

On 07/01/2021 at 20:56, gnsw said:

I really don't understand why remove a necessary option for the system administrator.  This makes us look bad to a client, it is ridiculous to try to explain to a client that we are the system administrators but we can't just change his password. 

I think the logic, though badly explained by WHMCS, is that clients can no longer login, and therefore no longer have/need/use passwords.... only users can login.

that said, there should absolutely be a direct means of changing a users password from the admin area - the fact that there isn't makes no sense (especially given the process I outline below is available)

On 07/01/2021 at 20:56, gnsw said:

Are you trying to favor the developer of the "Change User Password" module ?

certainly nobody should need to buy an addon module to change a users password - the very fact that there is such a module, should be a cause for embarrassment at WHMCS (it won't be though).

On 04/02/2021 at 04:16, Rahim said:

I have hard time when there is no password reset button in admin area. It is really hard I tell you. WHMCS should put it back.

you can login as the client owner, either directly or via the admin area client summary profile, and change their password directly from the client area.

On 10/02/2021 at 12:43, bear said:

I can't speak for them, but past unpopular decisions eventually get ignored until the complainers grow tired of the silence and forget.

sadly, so true.... though I still believe at some point they must add the option back in to the admin area - probably not in v8.1.1, but in one of the future major releases.

[Mindnet]

2 hours ago, brian! said:

you can login as the client owner, either directly or via the admin area client summary profile, and change their password directly from the client area.

Exactly, so there is a way for the administrator to change the user's password, right? But the WHMCS response says that intentionally the WHMCS does not allow you to manipulate the user's password:

16 hours ago, WHMCS John said:

v8.0 and above intentionally does not expose or permit direct manipulations or display of User passwords via the UI or in emails. Instead an email-based invitation and reset process is used in line with current best-design and security practices. This paradigm is common to many modern SaaS systems.

So in one way or another, it is possible for the admin to change the user's password, without the user having to do it using the new method implemented by WHMCS.

The end result is:

1) Made the admin's life more complicated, more steps are needed to change a password.

2) The developer who made a paid module to change the password, is laughing and earning some money, and he is right.

Now the question remains: what does it cost the WHMCS to return with this functionality? It may even be optional, in the security settings the WHMCS admin may or may not activate this feature.

In practice WHMCS is imposing a way of working, it decides that we cannot change the password of our users. It is a worrying path, tomorrow WHMCS can decide other things, about how we should manage our companies. Perhaps, who knows, tomorrow a change will not allow us to change the password of a cpanel account anymore, if the user forgot the password, it is his problem.

I sincerely hope that the WHMCS will review this, it costs nothing to reactivate and I repeat: it is an optional feature, nobody is obliged to use it, anyone who agrees with this imposition of the WHMCS just does not use this function.

[brian!]

On 12/02/2021 at 15:37, Mindnet said:

Exactly, so there is a way for the administrator to change the user's password, right? But the WHMCS response says that intentionally the WHMCS does not allow you to manipulate the user's password:

if that's the case, then that raises a contradiction - either the user shouldn't be allowed you directly "manipulate" the password, or the admin should have the option to do so from the admin area.

[websitewendy]

"you can login as the client owner, either directly or via the admin area client summary profile, and change their password directly from the client area."

This is not possible without knowing the original user password.
Ridiculous change and sloppy implementation with the empty areas in the admin and extra user pop up screen.

[peterh88]

I have using WHNCS for over 5 years

An example from a customer call ...

• Customer: please can you reset my password?
• Call centre: I send you an email ASAP
• Customer: I do not have access to my email system at the monument

At this point we need the power to help the customer. Any customer problem with our service we need to be able to help and fix in one call.

This password change will loss us customers

Please put the system back to 7.9 password functionality?

Thanks

Pete

[xyzulu]

You can reset the password from the database.

While I understand your reasons for wanting this feature back, resetting a password over the phone isn't the most secure way. 

[bear]

On 2/11/2021 at 5:59 PM, WHMCS John said:

v8.0 and above intentionally does not expose or permit direct manipulations or display of User passwords via the UI or in emails. Instead an email-based invitation and reset process is used in line with current best-design and security practices. This paradigm is common to many modern SaaS systems.

When did WHMCS become a SaaS system? 
 

Quote

Software as a service is a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted.

 

[Mindnet]

Quote

1 hour ago, xyzulu said:

You can reset the password from the database.

While I understand your reasons for wanting this feature back, resetting a password over the phone isn't the most secure way. 

 

Change password in the database? This implies:

- Provide access to the database to company employees;

- Expect all team members to know how to manipulate data in a database, without damaging anything;

Finally, changing the password in the database is no longer simple. In the past it was enough to rewrite the password with md5 () but WHMCS does not work anymore, passwords are probably recorded with password_hash.

Anyway, your suggestion to enter the database and change the customer's password is not practical and feasible for most companies.

As much as you consider providing a password over the phone a risk, there will be situations where it will be necessary, otherwise the customer will not be able to access WHMCS.

The company for security, can ask for the security answer, confirm profile data, etc. - before providing the password by phone.

And lastly, what has been ignored in this post: no company is required to reset password manually. The function that existed in WHMCS was an option. If the company's policy is not to provide passwords over the phone, then simply do not use this function to reset a password for the customer.

Unfortunately WHMCS has made a decision that affects companies, and WHMCS wants to decide how companies should work and treat their customers.

This is a dangerous path, today WHMCS prevents us from reset password for the customer, tomorrow it may prevent us from other things.

I repeat: it is something very simple: that the WHMCS comes back with the admin's role to change the user password. And whoever will use this function, nobody is obliged to use it.

How difficult is it to understand this?

[brian!]

On 21/04/2021 at 09:58, peterh88 said:

At this point we need the power to help the customer. Any customer problem with our service we need to be able to help and fix in one call.

there are third-party solutions (well one), there is code available to reset a password... and I suppose ultimately if you had to, you could change a user's email (possibly via a direct db edit) to one you could access, send the password reset email, change password and then change the email back... yeah silly, long winded and as Mindnet says, you wouldn't want just anyone being able to directly interact with the database, but they're the main options.

[D9Hosting]

On 2/11/2021 at 10:59 PM, WHMCS John said:

This paradigm is common to many modern SaaS systems.

Common <> Good

For major changes like this you need to ask the users of your software for feedback BEFORE you go ahead and implement yet another "feature" that makes our lives harder.

[Web Host Pro]

You really need to add this option back, people will have upset customers and or lose customers for something that should be so simple. Email is not always reliable, and can be blocked or have issues. How can you not know this?

[Web Host Pro]

How can we manually change the password in phpmyadmin? This is a nightmare. Why make things harder for your customers?

[Web Host Pro]

So I bought the $25 plugin and it doesn't work. So now I've wasted over an hour, have a headache, and still can't change  a customer's password. This is crap

[Web Host Pro]

So now the app makers of the password change plugin won't refund the payment even though it doesn't work. I've wasted hours on this and lost a new customer because WHMCS can't have a simple password change option for customers. It's insane how ridiculous things can be. Amazing

[UnwilfulExpenditure]

3 hours ago, Web Host Pro said:

So now the app makers of the password change plugin won't refund the payment even though it doesn't work. I've wasted hours on this and lost a new customer because WHMCS can't have a simple password change option for customers. It's insane how ridiculous things can be. Amazing

Yeah, It is truly bizarre the way they picture what should happen! brian!'s idea of changing the email temporarily would probably be the quick fix you need if you can't make something to show it! 

I do feel your pain there though, The decisions taken are somewhat insane-like. I don't mind the idea of this, but the implementation seems like they banged it out after a heavy sesh with their eyes closed! Absolutely devastatingly poor, with no thought about implications or thought to their customers increased support loads.......... Ah well, I suppose you could jack up prices and hire competent staff like WHMCS say they did! 😉

[steven99]

On 7/19/2021 at 1:49 PM, Web Host Pro said:

So I bought the $25 plugin and it doesn't work. So now I've wasted over an hour, have a headache, and still can't change  a customer's password. This is crap

How is the addon not working exactly?   Like does it give an error or an entry in the module log to indicate issues?   Just a rough thinking how I would do such an addon, there isn't much that could stop it from working. 

[Web Host Pro]

I don't know why it doesn't work. The plugin maker said to change the permissions on a file to fix it which didn't. He then said he couldn't fix it without my whmcs and ftp information which obviously I'm not going to give. I  said ok we tried, can I get a refund since it doesn't work. He said no.

It amazes how WHMCS lets scammers advertise on their website. Weird stuff

[UnwilfulExpenditure]

49 minutes ago, Web Host Pro said:

I don't know why it doesn't work. The plugin maker said to change the permissions on a file to fix it which didn't. He then said he couldn't fix it without my whmcs and ftp information which obviously I'm not going to give. I  said ok we tried, can I get a refund since it doesn't work. He said no.

It amazes how WHMCS lets scammers advertise on their website. Weird stuff

That's not really scamming, they're offering to help you sort it! WHMCS seems to allow a lot of questionable activity - But this is most likely a config issue. I have seen people say they use it, But I'm not familiar with it myself! 

Could you install into a dev install and let them work out the issue? If it doesn't work it should have the same problem and they can tell you the steps to reproduce. 

As a side note, You should give the full story in the initial instance. 

[Marlene]

Anyone having any luck in fixing the admin reset of a password? Looking for a reliable 3rd party app that can fix this. I need to allow my staff to change the user password by entering a new password for them.  Has anyone tried this plugin by HartSoftCode? Not great reviews and I'm hoping they will see this thread and respond. Or better yet, maybe WHMCS can help us out!

 

[Danman]

This is so unbelievably annoying - A system admin needs the tools to avoid having to call clients and ask them to do stupid things like check and email and reset a password. Clients have no interest in doing things like this This just makes things difficult and system admins look stupid in our clients eyes. Terrible modification

[bear]

On 7/25/2021 at 11:51 PM, Marlene said:

Or better yet, maybe WHMCS can help us out!

Reminder: it was them that took this away without asking, and refuse to put it back.

[UnwilfulExpenditure]

I only see one bad review to be fair, it's $25 - If you need it - buy it! 

I have spoken to people using it, who seem satisfied - The person posting that review and this post only seemed to offer half a story about what happened! I'm not a fan of the author by any means - The few bits I've seen in action work however. I do think WHMCS need to get the office tested though! There seems to be a lack of oxygen in that place!