Jump to content

Email passwords

snofire

By snofire
in Troubleshooting Issues

 Share

Recommended Posts

snofire Junior Member

snofire

Posted
Posted

I dislike on this change from 7.6 to 8 on how reseting a password is along with no verification that the email was sent to the user in the Emails portion of their profile. When looking in myPHPAdmin in the tblusers and find the user the password that is set for them isn't in there. It a bunch of numbers and letters. 

 

Is there a way we can reset this in there that it sticks? I tried testing with one and changing the password made no difference. 

0
Link to comment
Share on other sites
brian! Senior Member

brian!

Posted
Posted
22 hours ago, snofire said:

I dislike on this change from 7.6 to 8 on how reseting a password is along with no verification that the email was sent to the user in the Emails portion of their profile.

password reset emails have never been logged have they?

https://docs.whmcs.com/Clients:Emails/Notes/Logs_Tabs

Quote

The Emails tab is accessed via the Clients > View/Search Clients page, select a client, then click the tab marked "Emails".

It contains a paginated list of emails sent to the client through WHMCS since the logs were last pruned, with the exception of the "Automated Password Reset", "Client Email Address Verification", and "Password Reset Validation" emails.

These emails are not recorded intentionally.

22 hours ago, snofire said:

When looking in myPHPAdmin in the tblusers and find the user the password that is set for them isn't in there. It a bunch of numbers and letters. 

it will be in there, but encrypted... it wouldn't be much of a secure password if you could view the database and see it openly.

22 hours ago, snofire said:

Is there a way we can reset this in there that it sticks? I tried testing with one and changing the password made no difference. 

i've just reset a client password via the email link - it works fine and updates the database.... though I preferred the previous method of being able to edit it directly in the profile.

0
Link to comment
Share on other sites
snofire Junior Member

snofire

Posted
  • Author
Posted

@brian! I believe they were logged before and showed in the EMAIL tab  but they do not now in 8.0.

For resetting the password sure I can put the users email address in so it sends them the link but I can't then reset the password for them and there is no log in their EMAIL tab to look at. I understand they want to secure things but yet I can see a users full CC information so I think that would be more damaging then a reset password problem. That would more of a InfoSEC problem for the CC info to be visible. 

1
Link to comment
Share on other sites
brian! Senior Member

brian!

Posted
Posted
6 minutes ago, snofire said:

I believe they were logged before and showed in the EMAIL tab  but they do not now in 8.0.

I honestly don't believe that these password reset emails have ever (e.g whilst i've been using WHMCS) been logged.

10 minutes ago, snofire said:

For resetting the password sure I can put the users email address in so it sends them the link but I can't then reset the password for them and there is no log in their EMAIL tab to look at.

oh i'm not disagreeing that it's a backward step, but I don't expect them to change it back now... that's the nature of WHMCS, they think they know what's best, and almost regardless of any stink you can create, they'll just plod on regardless down that intended path.

technically, you could reset a user's password using the API and that would only take a few lines of code... but in an ideal world, any decent software shouldn't expect users to need to code to do the most trivial of things that were previously possible in the admin area.

0
Link to comment
Share on other sites
  • 2 weeks later...
HancoEuropa Member

HancoEuropa

Posted
Posted

My reset password emails aren't even being sent ... let alone appearing in the sodding emails list ... they just sort of disappear, doesn't matter front end or back end.

I've dutifully modified and checked all the templates-  they look fine. 

I have to wait until a client tells me they didn't get their lost password email, and their changed email address emails ... cuz I have no idea otherwise that they had tried.

Alas!

Might look at some hooks ... dunno what to do really. 

Cheers!

 

0
Link to comment
Share on other sites
xyzulu Senior Member

xyzulu

Posted
Posted (edited)
5 hours ago, HancoEuropa said:

My reset password emails aren't even being sent ... let alone appearing in the sodding emails list ... they just sort of disappear, doesn't matter front end or back end.

I've dutifully modified and checked all the templates-  they look fine. 

I have to wait until a client tells me they didn't get their lost password email, and their changed email address emails ... cuz I have no idea otherwise that they had tried.

Alas!

Might look at some hooks ... dunno what to do really. 

Cheers!

 

You should be logging your outgoing email/SMTP.. check those logs.

Edited by xyzulu
0
Link to comment
Share on other sites
Juanzo Senior Member

Juanzo

Posted
Posted

@VirtualWorldGlobal has a valid point.

I understand this is a security feature, and I could understand some big hosting companies with outsourced support, that could need this.
But on smaller teams, or on teams where only the owners of the hosting company reply to tickets, it makes things harder.

It might sound strange but there are many people that have trouble resetting a password, maybe there is a way for future WHMcs updates to allow enabling this option again.

0
Link to comment
Share on other sites
bear Senior Member

bear

Posted
Posted
1 hour ago, Juanzo said:

maybe there is a way for future WHMcs updates to allow enabling this option again.

Or at the very least, asking users if it's a good idea before implementing a change like this. We don't do this often for clients, but as we do know most personally, it has come up in the past. 
Be nice to know the official reasoning behind it being removed.

0
Link to comment
Share on other sites
Si Senior Member

Si

Posted
Posted

Just came across this issue today - customers not receiving reset password emails, (additional users now known as 'contacts') and a users tab for the account owner.  (Makes a mess of previous permissions setups done by the customers.

So no emails being sent, and I can't request it sent from admin dashboard and I can't reset it for them in the dashboard.  I have to go hunting through the DB.

THIS IS RIDICULOUS WHMCS  - SORT IT OUT!

0
Link to comment
Share on other sites
  • WHMCS Support Manager
WHMCS John Senior Member

WHMCS John

Posted
  • WHMCS Support Manager
Posted

Hi all,

v8.0 intentionally does not expose or permit direct manipulations of User passwords via the UI. Instead an email-based invitation and reset process is used in line with current best-design and security practices. This paradigm is common to many modern SaaS systems and will be familiar to many.

You can still send the password reset email as before, it has now moved to the Users tab: https://help.whmcs.com/m/v80/l/1301340-where-is-the-reset-send-password-option

Contacts never had passwords and weren't able to login in v7.10, that behaviour is carried across to v8.0: https://help.whmcs.com/m/v80/l/1317175-help-with-users-where-are-sub-accounts

 

The password reminder emails have not been logged to the email log for many years, this is an intentional security measure to prevent the validation link being bypassed via the client area email log page.

If you email provider reports any error at the time of email sending, it will be logged to the Configuration > System Logs page as always.

If no error occurs and your email provider accepts the message, it is outside of the scope of WHMCS to track email delivery further. Please work with your mailserver admin to investigate email delivery issues.

 

In v8.1 we will be adding a new System Log entry when the password reset email is send by an admin user, to make identifying any problems with that process easier.

 

0
Link to comment
Share on other sites
joedavis Member

joedavis

Posted
Posted
5 hours ago, WHMCS John said:

Contacts never had passwords and weren't able to login in v7.10, that behaviour is carried across to v8.0: https://help.whmcs.com/m/v80/l/1317175-help-with-users-where-are-sub-accounts

 

Contacts actually did have passwords if the box was checked to allow them to login. Whatever you called the contact on the backend when that box was checked has no bearing to us who only use the frontend. The result was contacts could login with a password prior to v8.

0
Link to comment
Share on other sites
yggdrasil Senior Member

yggdrasil

Posted
Posted

Well, I remember in the past you could see the new password in the email history on the user's account. I considered that a security issue, since the historical email has the password visible on clear text. Does someone know if this was fixed? Passwords should never be displayed in the email history on the users account or anywhere.

0
Link to comment
Share on other sites
yggdrasil Senior Member

yggdrasil

Posted
Posted (edited)
12 hours ago, WHMCS John said:

Hi all,

v8.0 intentionally does not expose or permit direct manipulations of User passwords via the UI. Instead an email-based invitation and reset process is used in line with current best-design and security practices. This paradigm is common to many modern SaaS systems and will be familiar to many.

You can still send the password reset email as before, it has now moved to the Users tab: https://help.whmcs.com/m/v80/l/1301340-where-is-the-reset-send-password-option

Contacts never had passwords and weren't able to login in v7.10, that behaviour is carried across to v8.0: https://help.whmcs.com/m/v80/l/1317175-help-with-users-where-are-sub-accounts

 

The password reminder emails have not been logged to the email log for many years, this is an intentional security measure to prevent the validation link being bypassed via the client area email log page.

If you email provider reports any error at the time of email sending, it will be logged to the Configuration > System Logs page as always.

If no error occurs and your email provider accepts the message, it is outside of the scope of WHMCS to track email delivery further. Please work with your mailserver admin to investigate email delivery issues.

 

In v8.1 we will be adding a new System Log entry when the password reset email is send by an admin user, to make identifying any problems with that process easier.

 

 
 
 

 

Edited by yggdrasil
0
Link to comment
Share on other sites
yggdrasil Senior Member

yggdrasil

Posted
Posted (edited)
1 minute ago, xyzulu said:

.. and you can do just that in WHMCS v8.x 😉

Ah sorry, I read somehow the option was removed which would make no sense. I need to constantly force a password change manually on users accounts for some reason. Not sure then what is the issue here then.

Edited by yggdrasil
0
Link to comment
Share on other sites
HancoEuropa Member

HancoEuropa

Posted
Posted

Frankly, there are equally compelling issues on both sides here.

As an admin user, YES, of course everyone for various reasons would like to see the password-related emails in the client email log/listing.   Helps for customer service to see/know when/how/if that email was sent, etc

As any responsible IT manager, YES, it is completely unacceptable to expose a user password in plain text in logs etc.   Against best practice as noted by WHMCS, and just a bad idea.

Could we possibly all aim for a compromise?

How about:    Simply mask the password immediately after it is sent and prior to logging.    Admins would only see "*****" in the email log. 

Workable?

 

1
Link to comment
Share on other sites
ManagedCloud-Hosting Senior Member

ManagedCloud-Hosting

Posted
Posted

I think long back it used too - if I am right, you must be knowing better...

On 10/20/2020 at 9:11 PM, brian! said:

password reset emails have never been logged have they?

Isn't it already fixed, I have not seen such emails in recent times...Yes passwords should be visible on clear text...

On 11/12/2020 at 10:09 AM, yggdrasil said:

Well, I remember in the past you could see the new password in the email history on the user's account. I considered that a security issue, since the historical email has the password visible on clear text. Does someone know if this was fixed? Passwords should never be displayed in the email history on the users account or anywhere.

 

 

 

0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept