Jump to content

Recommended Posts

I dislike on this change from 7.6 to 8 on how reseting a password is along with no verification that the email was sent to the user in the Emails portion of their profile. When looking in myPHPAdmin in the tblusers and find the user the password that is set for them isn't in there. It a bunch of numbers and letters. 

 

Is there a way we can reset this in there that it sticks? I tried testing with one and changing the password made no difference. 

Share this post


Link to post
Share on other sites
22 hours ago, snofire said:

I dislike on this change from 7.6 to 8 on how reseting a password is along with no verification that the email was sent to the user in the Emails portion of their profile.

password reset emails have never been logged have they?

https://docs.whmcs.com/Clients:Emails/Notes/Logs_Tabs

Quote

The Emails tab is accessed via the Clients > View/Search Clients page, select a client, then click the tab marked "Emails".

It contains a paginated list of emails sent to the client through WHMCS since the logs were last pruned, with the exception of the "Automated Password Reset", "Client Email Address Verification", and "Password Reset Validation" emails.

These emails are not recorded intentionally.

22 hours ago, snofire said:

When looking in myPHPAdmin in the tblusers and find the user the password that is set for them isn't in there. It a bunch of numbers and letters. 

it will be in there, but encrypted... it wouldn't be much of a secure password if you could view the database and see it openly.

22 hours ago, snofire said:

Is there a way we can reset this in there that it sticks? I tried testing with one and changing the password made no difference. 

i've just reset a client password via the email link - it works fine and updates the database.... though I preferred the previous method of being able to edit it directly in the profile.

Share this post


Link to post
Share on other sites

@brian! I believe they were logged before and showed in the EMAIL tab  but they do not now in 8.0.

For resetting the password sure I can put the users email address in so it sends them the link but I can't then reset the password for them and there is no log in their EMAIL tab to look at. I understand they want to secure things but yet I can see a users full CC information so I think that would be more damaging then a reset password problem. That would more of a InfoSEC problem for the CC info to be visible. 

Share this post


Link to post
Share on other sites
6 minutes ago, snofire said:

I believe they were logged before and showed in the EMAIL tab  but they do not now in 8.0.

I honestly don't believe that these password reset emails have ever (e.g whilst i've been using WHMCS) been logged.

10 minutes ago, snofire said:

For resetting the password sure I can put the users email address in so it sends them the link but I can't then reset the password for them and there is no log in their EMAIL tab to look at.

oh i'm not disagreeing that it's a backward step, but I don't expect them to change it back now... that's the nature of WHMCS, they think they know what's best, and almost regardless of any stink you can create, they'll just plod on regardless down that intended path.

technically, you could reset a user's password using the API and that would only take a few lines of code... but in an ideal world, any decent software shouldn't expect users to need to code to do the most trivial of things that were previously possible in the admin area.

Share this post


Link to post
Share on other sites

I understand. I just feel this is a step back from the admins ability to service the customer and their accounts if they have problems. Well hopefully they take feedback and make some changes for the better. 

Share this post


Link to post
Share on other sites

My reset password emails aren't even being sent ... let alone appearing in the sodding emails list ... they just sort of disappear, doesn't matter front end or back end.

I've dutifully modified and checked all the templates-  they look fine. 

I have to wait until a client tells me they didn't get their lost password email, and their changed email address emails ... cuz I have no idea otherwise that they had tried.

Alas!

Might look at some hooks ... dunno what to do really. 

Cheers!

 

Share this post


Link to post
Share on other sites
5 hours ago, HancoEuropa said:

My reset password emails aren't even being sent ... let alone appearing in the sodding emails list ... they just sort of disappear, doesn't matter front end or back end.

I've dutifully modified and checked all the templates-  they look fine. 

I have to wait until a client tells me they didn't get their lost password email, and their changed email address emails ... cuz I have no idea otherwise that they had tried.

Alas!

Might look at some hooks ... dunno what to do really. 

Cheers!

 

You should be logging your outgoing email/SMTP.. check those logs.

Edited by xyzulu

Share this post


Link to post
Share on other sites

At the latest version, there is no way to manually set a user's password?

Indeed it makes hard for clients that have a hard time reseting passwords, maybe there must be a way to enable this.

Share this post


Link to post
Share on other sites
27 minutes ago, Juanzo said:

maybe there must be a way to enable this.

There is no way to do this in the current version, apart from editing the database.

Share this post


Link to post
Share on other sites

Then it's a deliberate effort to modify a basic feature and upgrading to utmost worthlessness !!

13 hours ago, xyzulu said:

There is no way to do this in the current version, apart from editing the database.

 

Share this post


Link to post
Share on other sites

@VirtualWorldGlobal has a valid point.

I understand this is a security feature, and I could understand some big hosting companies with outsourced support, that could need this.
But on smaller teams, or on teams where only the owners of the hosting company reply to tickets, it makes things harder.

It might sound strange but there are many people that have trouble resetting a password, maybe there is a way for future WHMcs updates to allow enabling this option again.

Share this post


Link to post
Share on other sites
1 hour ago, Juanzo said:

maybe there is a way for future WHMcs updates to allow enabling this option again.

Or at the very least, asking users if it's a good idea before implementing a change like this. We don't do this often for clients, but as we do know most personally, it has come up in the past. 
Be nice to know the official reasoning behind it being removed.

Share this post


Link to post
Share on other sites

Just came across this issue today - customers not receiving reset password emails, (additional users now known as 'contacts') and a users tab for the account owner.  (Makes a mess of previous permissions setups done by the customers.

So no emails being sent, and I can't request it sent from admin dashboard and I can't reset it for them in the dashboard.  I have to go hunting through the DB.

THIS IS RIDICULOUS WHMCS  - SORT IT OUT!

Share this post


Link to post
Share on other sites

Hi all,

v8.0 intentionally does not expose or permit direct manipulations of User passwords via the UI. Instead an email-based invitation and reset process is used in line with current best-design and security practices. This paradigm is common to many modern SaaS systems and will be familiar to many.

You can still send the password reset email as before, it has now moved to the Users tab: https://help.whmcs.com/m/v80/l/1301340-where-is-the-reset-send-password-option

Contacts never had passwords and weren't able to login in v7.10, that behaviour is carried across to v8.0: https://help.whmcs.com/m/v80/l/1317175-help-with-users-where-are-sub-accounts

 

The password reminder emails have not been logged to the email log for many years, this is an intentional security measure to prevent the validation link being bypassed via the client area email log page.

If you email provider reports any error at the time of email sending, it will be logged to the Configuration > System Logs page as always.

If no error occurs and your email provider accepts the message, it is outside of the scope of WHMCS to track email delivery further. Please work with your mailserver admin to investigate email delivery issues.

 

In v8.1 we will be adding a new System Log entry when the password reset email is send by an admin user, to make identifying any problems with that process easier.

 

Share this post


Link to post
Share on other sites
5 hours ago, WHMCS John said:

Contacts never had passwords and weren't able to login in v7.10, that behaviour is carried across to v8.0: https://help.whmcs.com/m/v80/l/1317175-help-with-users-where-are-sub-accounts

 

Contacts actually did have passwords if the box was checked to allow them to login. Whatever you called the contact on the backend when that box was checked has no bearing to us who only use the frontend. The result was contacts could login with a password prior to v8.

Share this post


Link to post
Share on other sites

Well, I remember in the past you could see the new password in the email history on the user's account. I considered that a security issue, since the historical email has the password visible on clear text. Does someone know if this was fixed? Passwords should never be displayed in the email history on the users account or anywhere.

Share this post


Link to post
Share on other sites
9 minutes ago, yggdrasil said:

 Passwords should never be displayed in the email history on the users account or anywhere.

They are no longer visible

Share this post


Link to post
Share on other sites
12 hours ago, WHMCS John said:

Hi all,

v8.0 intentionally does not expose or permit direct manipulations of User passwords via the UI. Instead an email-based invitation and reset process is used in line with current best-design and security practices. This paradigm is common to many modern SaaS systems and will be familiar to many.

You can still send the password reset email as before, it has now moved to the Users tab: https://help.whmcs.com/m/v80/l/1301340-where-is-the-reset-send-password-option

Contacts never had passwords and weren't able to login in v7.10, that behaviour is carried across to v8.0: https://help.whmcs.com/m/v80/l/1317175-help-with-users-where-are-sub-accounts

 

The password reminder emails have not been logged to the email log for many years, this is an intentional security measure to prevent the validation link being bypassed via the client area email log page.

If you email provider reports any error at the time of email sending, it will be logged to the Configuration > System Logs page as always.

If no error occurs and your email provider accepts the message, it is outside of the scope of WHMCS to track email delivery further. Please work with your mailserver admin to investigate email delivery issues.

 

In v8.1 we will be adding a new System Log entry when the password reset email is send by an admin user, to make identifying any problems with that process easier.

 

 
 
 

 

Edited by yggdrasil

Share this post


Link to post
Share on other sites
1 minute ago, yggdrasil said:

Every SaaS application I know lets you force a password change on a user's account from the admin side.

.. and you can do just that in WHMCS v8.x 😉

Share this post


Link to post
Share on other sites
1 minute ago, xyzulu said:

.. and you can do just that in WHMCS v8.x 😉

Ah sorry, I read somehow the option was removed which would make no sense. I need to constantly force a password change manually on users accounts for some reason. Not sure then what is the issue here then.

Edited by yggdrasil

Share this post


Link to post
Share on other sites
5 hours ago, yggdrasil said:

Well, I remember in the past you could see the new password in the email history on the user's account.

I think that was removed long before v8.

Share this post


Link to post
Share on other sites

Frankly, there are equally compelling issues on both sides here.

As an admin user, YES, of course everyone for various reasons would like to see the password-related emails in the client email log/listing.   Helps for customer service to see/know when/how/if that email was sent, etc

As any responsible IT manager, YES, it is completely unacceptable to expose a user password in plain text in logs etc.   Against best practice as noted by WHMCS, and just a bad idea.

Could we possibly all aim for a compromise?

How about:    Simply mask the password immediately after it is sent and prior to logging.    Admins would only see "*****" in the email log. 

Workable?

 

Share this post


Link to post
Share on other sites
On 31/10/2020 at 4:32 PM, xyzulu said:

You should be logging your outgoing email/SMTP.. check those logs.

Brad, thanks for that, obviously that solved my issue, most appreciated!

Share this post


Link to post
Share on other sites

I think long back it used too - if I am right, you must be knowing better...

On 10/20/2020 at 9:11 PM, brian! said:

password reset emails have never been logged have they?

Isn't it already fixed, I have not seen such emails in recent times...Yes passwords should be visible on clear text...

On 11/12/2020 at 10:09 AM, yggdrasil said:

Well, I remember in the past you could see the new password in the email history on the user's account. I considered that a security issue, since the historical email has the password visible on clear text. Does someone know if this was fixed? Passwords should never be displayed in the email history on the users account or anywhere.

 

 

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated