Jump to content
battles

Can no longer reset client passwords

Recommended Posts

On 4/02/2021 at 4:16 AM, Rahim said:

I have the same problem here where my client received forgot password reset email but no URL link in the email.

I too have the issue of no URL link in the reset email. I have a client that needs to get in to their account but can't because there is no link to click!

Share this post


Link to post
Share on other sites

Hello,

In v8.0 and above we introduced a significant update to the authentication and authorization system for accounts and users in WHMCS. Client Accounts no longer have passwords, authentication is now done via Users.

v8.0 and above intentionally does not expose or permit direct manipulations or display of User passwords via the UI or in emails. Instead an email-based invitation and reset process is used in line with current best-design and security practices. This paradigm is common to many modern SaaS systems.

If some users are unable to receive the reset email, your admins would assist the customer by updating their email address via the new "Users" tab to one which can receive emails. You can then send the password reset email to them also via the Users tab: https://help.whmcs.com/m/v80/l/1301340-where-is-the-reset-send-password-option

If no users are receiving the password reset email, then please follow these steps to troubleshoot email sending issues: https://help.whmcs.com/m/troubleshooting/l/1261469-troubleshooting-email-sending-problems

 

 

So that the Password Reset Validation email template contains the timed reset link, ensure it contains the relevant merge field:

<a href="{$reset_password_url}">Reset your password</a>

This is located at Configuration > System Settings > Email Templates

Share this post


Link to post
Share on other sites
On 07/01/2021 at 20:56, gnsw said:

I really don't understand why remove a necessary option for the system administrator.  This makes us look bad to a client, it is ridiculous to try to explain to a client that we are the system administrators but we can't just change his password. 

I think the logic, though badly explained by WHMCS, is that clients can no longer login, and therefore no longer have/need/use passwords.... only users can login.

that said, there should absolutely be a direct means of changing a users password from the admin area - the fact that there isn't makes no sense (especially given the process I outline below is available)

On 07/01/2021 at 20:56, gnsw said:

Are you trying to favor the developer of the "Change User Password" module ?

certainly nobody should need to buy an addon module to change a users password - the very fact that there is such a module, should be a cause for embarrassment at WHMCS (it won't be though).

On 04/02/2021 at 04:16, Rahim said:

I have hard time when there is no password reset button in admin area. It is really hard I tell you. WHMCS should put it back.

you can login as the client owner, either directly or via the admin area client summary profile, and change their password directly from the client area.

On 10/02/2021 at 12:43, bear said:

I can't speak for them, but past unpopular decisions eventually get ignored until the complainers grow tired of the silence and forget.

sadly, so true.... though I still believe at some point they must add the option back in to the admin area - probably not in v8.1.1, but in one of the future major releases.

Share this post


Link to post
Share on other sites
2 hours ago, brian! said:

you can login as the client owner, either directly or via the admin area client summary profile, and change their password directly from the client area.

Exactly, so there is a way for the administrator to change the user's password, right? But the WHMCS response says that intentionally the WHMCS does not allow you to manipulate the user's password:

16 hours ago, WHMCS John said:

v8.0 and above intentionally does not expose or permit direct manipulations or display of User passwords via the UI or in emails. Instead an email-based invitation and reset process is used in line with current best-design and security practices. This paradigm is common to many modern SaaS systems.

So in one way or another, it is possible for the admin to change the user's password, without the user having to do it using the new method implemented by WHMCS.

The end result is:

1) Made the admin's life more complicated, more steps are needed to change a password.

2) The developer who made a paid module to change the password, is laughing and earning some money, and he is right.

Now the question remains: what does it cost the WHMCS to return with this functionality? It may even be optional, in the security settings the WHMCS admin may or may not activate this feature.

In practice WHMCS is imposing a way of working, it decides that we cannot change the password of our users. It is a worrying path, tomorrow WHMCS can decide other things, about how we should manage our companies. Perhaps, who knows, tomorrow a change will not allow us to change the password of a cpanel account anymore, if the user forgot the password, it is his problem.

I sincerely hope that the WHMCS will review this, it costs nothing to reactivate and I repeat: it is an optional feature, nobody is obliged to use it, anyone who agrees with this imposition of the WHMCS just does not use this function.

Share this post


Link to post
Share on other sites
On 12/02/2021 at 15:37, Mindnet said:

Exactly, so there is a way for the administrator to change the user's password, right? But the WHMCS response says that intentionally the WHMCS does not allow you to manipulate the user's password:

if that's the case, then that raises a contradiction - either the user shouldn't be allowed you directly "manipulate" the password, or the admin should have the option to do so from the admin area.

Share this post


Link to post
Share on other sites

"you can login as the client owner, either directly or via the admin area client summary profile, and change their password directly from the client area."

This is not possible without knowing the original user password.
Ridiculous change and sloppy implementation with the empty areas in the admin and extra user pop up screen.

Share this post


Link to post
Share on other sites

I have using WHNCS for over 5 years

An example from a customer call ...

  • Customer: please can you reset my password?
  • Call centre: I send you an email ASAP
  • Customer: I do not have access to my email system at the monument

At this point we need the power to help the customer. Any customer problem with our service we need to be able to help and fix in one call.

This password change will loss us customers

Please put the system back to 7.9 password functionality?

Thanks

Pete

Share this post


Link to post
Share on other sites

You can reset the password from the database.

While I understand your reasons for wanting this feature back, resetting a password over the phone isn't the most secure way. 

Share this post


Link to post
Share on other sites
On 2/11/2021 at 5:59 PM, WHMCS John said:

v8.0 and above intentionally does not expose or permit direct manipulations or display of User passwords via the UI or in emails. Instead an email-based invitation and reset process is used in line with current best-design and security practices. This paradigm is common to many modern SaaS systems.

When did WHMCS become a SaaS system? 
 

Quote

Software as a service is a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted.

 

Share this post


Link to post
Share on other sites
Quote
1 hour ago, xyzulu said:

You can reset the password from the database.

While I understand your reasons for wanting this feature back, resetting a password over the phone isn't the most secure way. 

 

Change password in the database? This implies:

- Provide access to the database to company employees;

- Expect all team members to know how to manipulate data in a database, without damaging anything;

Finally, changing the password in the database is no longer simple. In the past it was enough to rewrite the password with md5 () but WHMCS does not work anymore, passwords are probably recorded with password_hash.

Anyway, your suggestion to enter the database and change the customer's password is not practical and feasible for most companies.

As much as you consider providing a password over the phone a risk, there will be situations where it will be necessary, otherwise the customer will not be able to access WHMCS.

The company for security, can ask for the security answer, confirm profile data, etc. - before providing the password by phone.

And lastly, what has been ignored in this post: no company is required to reset password manually. The function that existed in WHMCS was an option. If the company's policy is not to provide passwords over the phone, then simply do not use this function to reset a password for the customer.

Unfortunately WHMCS has made a decision that affects companies, and WHMCS wants to decide how companies should work and treat their customers.

This is a dangerous path, today WHMCS prevents us from reset password for the customer, tomorrow it may prevent us from other things.

I repeat: it is something very simple: that the WHMCS comes back with the admin's role to change the user password. And whoever will use this function, nobody is obliged to use it.

How difficult is it to understand this?

Share this post


Link to post
Share on other sites
On 21/04/2021 at 09:58, peterh88 said:

At this point we need the power to help the customer. Any customer problem with our service we need to be able to help and fix in one call.

there are third-party solutions (well one), there is code available to reset a password... and I suppose ultimately if you had to, you could change a user's email (possibly via a direct db edit) to one you could access, send the password reset email, change password and then change the email back... yeah silly, long winded and as Mindnet says, you wouldn't want just anyone being able to directly interact with the database, but they're the main options.

Share this post


Link to post
Share on other sites
On 2/11/2021 at 10:59 PM, WHMCS John said:

This paradigm is common to many modern SaaS systems.

Common <> Good

For major changes like this you need to ask the users of your software for feedback BEFORE you go ahead and implement yet another "feature" that makes our lives harder.

Share this post


Link to post
Share on other sites

You really need to add this option back, people will have upset customers and or lose customers for something that should be so simple. Email is not always reliable, and can be blocked or have issues. How can you not know this?

Share this post


Link to post
Share on other sites

How can we manually change the password in phpmyadmin? This is a nightmare. Why make things harder for your customers?

Share this post


Link to post
Share on other sites

So I bought the $25 plugin and it doesn't work. So now I've wasted over an hour, have a headache, and still can't change  a customer's password. This is crap

Share this post


Link to post
Share on other sites

So now the app makers of the password change plugin won't refund the payment even though it doesn't work. I've wasted hours on this and lost a new customer because WHMCS can't have a simple password change option for customers. It's insane how ridiculous things can be. Amazing

Share this post


Link to post
Share on other sites
3 hours ago, Web Host Pro said:

So now the app makers of the password change plugin won't refund the payment even though it doesn't work. I've wasted hours on this and lost a new customer because WHMCS can't have a simple password change option for customers. It's insane how ridiculous things can be. Amazing

Yeah, It is truly bizarre the way they picture what should happen! brian!'s idea of changing the email temporarily would probably be the quick fix you need if you can't make something to show it! 

I do feel your pain there though, The decisions taken are somewhat insane-like. I don't mind the idea of this, but the implementation seems like they banged it out after a heavy sesh with their eyes closed! Absolutely devastatingly poor, with no thought about implications or thought to their customers increased support loads.......... Ah well, I suppose you could jack up prices and hire competent staff like WHMCS say they did! 😉

Share this post


Link to post
Share on other sites
On 7/19/2021 at 1:49 PM, Web Host Pro said:

So I bought the $25 plugin and it doesn't work. So now I've wasted over an hour, have a headache, and still can't change  a customer's password. This is crap

How is the addon not working exactly?   Like does it give an error or an entry in the module log to indicate issues?   Just a rough thinking how I would do such an addon, there isn't much that could stop it from working. 

Share this post


Link to post
Share on other sites

I don't know why it doesn't work. The plugin maker said to change the permissions on a file to fix it which didn't. He then said he couldn't fix it without my whmcs and ftp information which obviously I'm not going to give. I  said ok we tried, can I get a refund since it doesn't work. He said no.

It amazes how WHMCS lets scammers advertise on their website. Weird stuff

Share this post


Link to post
Share on other sites
49 minutes ago, Web Host Pro said:

I don't know why it doesn't work. The plugin maker said to change the permissions on a file to fix it which didn't. He then said he couldn't fix it without my whmcs and ftp information which obviously I'm not going to give. I  said ok we tried, can I get a refund since it doesn't work. He said no.

It amazes how WHMCS lets scammers advertise on their website. Weird stuff

That's not really scamming, they're offering to help you sort it! WHMCS seems to allow a lot of questionable activity - But this is most likely a config issue. I have seen people say they use it, But I'm not familiar with it myself! 

Could you install into a dev install and let them work out the issue? If it doesn't work it should have the same problem and they can tell you the steps to reproduce. 

As a side note, You should give the full story in the initial instance. 

Share this post


Link to post
Share on other sites

Anyone having any luck in fixing the admin reset of a password? Looking for a reliable 3rd party app that can fix this. I need to allow my staff to change the user password by entering a new password for them.  Has anyone tried this plugin by HartSoftCode? Not great reviews and I'm hoping they will see this thread and respond. Or better yet, maybe WHMCS can help us out!

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Similar Content

    • By Manchester Web Hosting
      Hello everyone,
      Hoping someone can point me in the right direction. Bascially  after reviewing our video heatmaps we have found loads of drop offs on our checkout page due to potential new customers getting frustrted with having to keep inputting the password and security question IF the checkout form has any errors OR hasnt been filled out with all the required details.
      IF thats the case then the form refreshes and points out the errors. Now what we noiced is that the customer would the fill out OR correct the errors being pointed too and then submit BUT they dont fill out the password OR security question again as (I ASSUME) they think its already present when in fact its been cleared.
      Have seen potential customers going through the checkout form up to 10 times (I know right!) filling out the form and adding in missing OR fields that contain errors. Would be ideal IF they looked at everything and ensured that they filled out everything the first time round. A perfect customer alas thats not the case.
      SO trying to figure out how to keep anything inserted in the password and security answer fields at the very least saved AS they are for the personal fields (name + address) in case there is an error and the page spits out which errors those are. At the very least they wont have to add in those details again (as thats whats making them go round and round in circles!!!)
      Further, it would be great if that can also be applied to the card number and expiry field NOT the cvv tho for abovious reasons...
      I have checked the following files and cannot see where that removal takes place:
      js/jquery.payment.js js/scripts.min.js Also checked the HTML to see if there is any indicators there but cannot find anything. Pretty sure I am misssing something here i.e where the validation uccors maybe thats where those fileds are getting stripped?
      Any pointers to what I am missing OR how to implement that? I was thinking that dding in a class OR additional bootstrap class direct into the HTML field output would help?
    • By lamjed001
      From WHMCS 8.0 i noticed that Custom Field of type password become encrypted, how ?
      when i get Custom Field ( type password ) value via my module to make account with this password i saw that password is encrypted
      i used decrypt($password) it works fine
      but when i change the custom field type to text so decrypt($password) will not work because password already decoded ( original value )
      So my question is : how to get password from custom field ( type text btw this is not encrypted ) and from custom field ( type password encrypted ) because i need my addon to be compatible with both types

      Note : custom field of type text do not encrypt
      custom field of type password it become encrypted
    • By bblue115
      At the end of the year, I am working on a customer care campaign, to get a list of customers for this campaign, I need to know specifically how much each customer has spent on my services. From the papers there I can come up with the right strategy. But I couldn't find ways to test that figure. So would be grateful if someone showed me how to get a customer spending report. Thank you
    • By ModulesGarden
      1. Making Headway Towards Full WHMCS V8.0 Support

      As you most probably know, WHMCS V8.0 currently enjoys the beta status, and the stable version is only a matter of time as well. This can only mean one thing - we have once again put all our modules on the examination table!

      We are already releasing on a daily basis new WHMCS V8.0 and PHP 7.4 compatibility updates so catch up with all the latest releases, and stay on the lookout for more upcoming ones!
      cPanel Manage2 For WHMCS - v1.5.3 DirectAdmin Licenses For WHMCS - v1.4.1 Discount Center For WHMCS - v1.4.8 DNS Manager For WHMCS - v2.14.2 EURid Registrar For WHMCS - v1.3.3 Hosting Quota Notifications For WHMCS - v2.0.7 Name.com Registrar For WHMCS - v1.2.3 Password Manager For WHMCS - v2.2.10 Plesk Extended For WHMCS - v3.4.3 Quotes Automation For WHMCS - v2.1.3 Servertastic SSL For WHMCS - 1.4.4 Social Media Login For WHMCS - v1.3.6 Support Tickets Allocator For WHMCS - v1.3.4 Support Tickets Filter For WHMCS - v1.1.9 Unban Center For WHMCS - v2.3.2 WordPress Manager For WHMCS - v1.5.2
      Browse the Complete Support List!



      2. EasyDCIM v1.7.0 Release

      With the announcement of an all-new 1.7.0 version, EasyDCIM has once again hit the sweet spot by implementing a multi-purpose monitoring toolkit. This eagerly-welcomed feature simplifies greatly round-the-clock supervision of all devices and network ports, thereby allowing you to run your business without any risk of technical failure.

      This landmark event also includes the introduction of a brand new gear to a diverse collection of EasyDCIM-oriented modules. Advanced Monitoring For EasyDCIM has been designed to further extend the choice of actions to be performed within the area of monitors management.

      We also specifically recommend you check out the new mechanisms of system notifications, revisioned in such a way that you will never again miss any crucial change in the operation of your data center.

      Work Smarter Not Harder with EasyDCIM v1.7.0!



      Need Custom Software Development For Your Business?
      Get Your Free Quote Now! Specially for you we will adapt an application and its design to your own needs, create a new module or even a completely new system built from scratch!
    • By Kian
      We give you not one, not two but three action hooks to override default passwords generated by WHMCS for service provisioning on third-party control panels like Plesk, cPanel, DirectAdmin and custom-made server modules.
      v1 randomly picks 10 characters from a-zA-Z0-9 and !@#$%^&*()-=+? v2 same as above but makes sure that at least one special character is included in the password v3 for extremely strong passwords. Individually define the number of digits, lowercase, uppercase and special characters to use. The resulting password will not use the same character twice
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated