Reset user password WHMCS Module

[WGS]

We’ve got something to share…

We recently received a lot of requests for support with a client password reset in the WHMCS admin area. As always, you said it and we acted on it.

We are excited to introduce our new module for admins to reset passwords on the WHMCS platform - Reset user password  module. With our Reset user password  module, admins can now securely reset passwords for clients without compromising their privacy. 

We understand the pain of recovering and resetting passwords for clients and have ensured that you can go through the process smoothly. 

 

Buy the module https://whmcsglobalservices.com/reset-client-password-whmcs-module/ here today. 

 

In case of any queries, you can find us here https://whmcsglobalservices.com/contact-us/

 

Always here to serve all your WHMCS needs.

[websavers]

I'm confused as to how this is different from what's built in to WHMCS. They didn't remove this function, they just moved it to Users, which makes sense as Clients no longer have passwords - users do.

It's done in the WHMCS admin under The Client Account > Users > Click the arrow to the right of the user > Password Reset

That triggers the password reset process securely.

Edited February 4, 2023 by websavers

[hmaddy]

This will work only if the emails are working correctly. admin cannot reset a password.

[DennisHermannsen]

20 hours ago, websavers said:

It's done in the WHMCS admin under The Client Account > Users > Click the arrow to the right of the user > Password Reset

The module allows you to specify a password. Not just send a password reset request.

[websavers]

4 hours ago, DennisHermannsen said:

The module allows you to specify a password. Not just send a password reset request.

I see. I just assumed that couldn't have been the case given that it explicitly states above:

On 1/10/2023 at 4:56 AM, WGS said:

admins can now securely reset passwords for clients without compromising their privacy. 

However if the admin can see the password it most definitely compromises their privacy and is not, by definition, as secure as the built-in function.

[Kian]

8 hours ago, websavers said:

However if the admin can see the password it most definitely compromises their privacy and is not, by definition, as secure as the built-in function.

What privacy? The admin already knows everything.

[websavers]

19 minutes ago, Kian said:

What privacy? The admin already knows everything.

Huh? That's patently false. User passwords are one-way hashed and with the built-in password reset, strictly the user knows it. With this module that security/privacy is broken.

Example of this being a problem: staff member resets the password for clients. Staff member then leaves the company, and can no longer login as a WHMCS admin user, but has kept a record of all passwords changed. The now former staff member then uses those passwords to access client accounts or sells to the highest bidder. That's no good and definitely not private or secure.

Edited February 6, 2023 by websavers

[DennisHermannsen]

4 hours ago, websavers said:

Huh? That's patently false. User passwords are one-way hashed and with the built-in password reset, strictly the user knows it. With this module that security/privacy is broken.

I think Kian is referring to the fact that the admin already knows the clients' name, email, address, phone number and potentially other personal information.

The only way I would ever think of using a module like this is to set a temporary password for the user (if they no longer has access to their email account for example) and then force the user to set a new password after logging in.

[Evolve Web Hosting]

8 hours ago, websavers said:

Huh? That's patently false. User passwords are one-way hashed and with the built-in password reset, strictly the user knows it. With this module that security/privacy is broken.

I agree but on a side note, I am going slightly off topic to point out that the passwords for cPanel (and other modules) are wide open on the admin side. I think WHMCS should devote more time to cleaning things up like this.

There are plenty of different Software where you can reset a users password and temporarily see it (many ecommerce platforms for example). I'm not saying it's the right way but they exist.

[Kian]

11 hours ago, websavers said:

Huh? That's patently false. User passwords are one-way hashed and with the built-in password reset, strictly the user knows it. With this module that security/privacy is broken.

Example of this being a problem: staff member resets the password for clients. Staff member then leaves the company, and can no longer login as a WHMCS admin user, but has kept a record of all passwords changed. The now former staff member then uses those passwords to access client accounts or sells to the highest bidder. That's no good and definitely not private or secure.

I am saying that passwords are irrelevant when it comes to staff members and more in general the company that runs eveything. This can also be extended to emails and even entire servers since you don't own the hard drive.

Who cares about passwords when staff members have access to things like servers, cPanel, Plesk, terminal, webmails, phpMyAdmin, third-party modules etc. In this context there's no way you can keep customer details private and secure. Let me make you a very scary example. Tomorrow I realease a free WHMCS module that solves all the problems we have ever had with this platform. 50k providers install it on their systems because it is just too good.

What stops me from running a script that grabs all servers passwords so I can edit millions of websites?
What stops me from getting hundreds of thousands of auth codes so I can transfer domains where I want?
What stops me from ransomwaring everything?

Surely not passwords. 99% of the times passwords are not meant to protect data from staff members, providers and maintainers. Their purpose is protecting end-users from other users. The only thing you can do as a company is trusting and choosing the right partners.

As for members leaving the company, for what is worth you could turn off password viewing/edit permissions.

Edited February 6, 2023 by Kian

[websavers]

I think this answer from everyone above explains why security is so minimal these days. It really *does* make a difference, particularly if you have clients with domains - their Client Area password provides access to *their entire account (hosting, domains, etc)* whereas cPanel and Plesk passwords are limited to just the hosting panels.

With scenario 1 your clients just lost all their domains and hosting. Scenario 2 means they only lose their hosting. That's a pretty big difference.

Furthermore with SSO for hosting panels (which is now default in WHMCS), you *can* block staff (with some mods) from viewing those passwords as well.

On 2/6/2023 at 9:00 AM, Kian said:

What stops me from running a script that grabs all servers passwords so I can edit millions of websites?

If you're the only staff member, then sure. But many hosting companies have multiple staff that have limited access to client passwords and other such data in WHMCS.

On 2/6/2023 at 9:00 AM, Kian said:

What stops me from getting hundreds of thousands of auth codes so I can transfer domains where I want?

When a staff member is no longer employed, they could have easily saved passwords because of this module. They cannot do so with the built in WHMCS password changing system. And if they no longer have access to WHMCS when they're gone, they can't access those domains to get auth codes.

You need to think about *all* the possible angles, not just one, and then play the whatabout game to distract with other drawbacks.

Note that this is *exactly* how numerous recent data leaks occurred - because of former employees having access to systems they shouldn't have.

Edited February 8, 2023 by websavers

[ManagedCloud-Hosting]

On 2/6/2023 at 8:30 PM, Kian said:

when staff members have access to things like servers, cPanel, Plesk, terminal, webmails, phpMyAdmin, third-party modules etc.

@websavers Staff members doing such things what you say is rare and  @Kian is absolutely correct...staff members have access to the above things so I don't understand your privacy concerns ?

Also as @evolve hosting mentioned WHMCS needs to fix many other concerns where we are bound to use plain text...what about that ? Am I correct @evolve hosting ?

[Evolve Web Hosting]

49 minutes ago, ManagedCloud-Hosting said:

Also as @evolve hosting mentioned WHMCS needs to fix many other concerns where we are bound to use plain text...what about that ? Am I correct @evolve hosting ?

@ManagedCloud-Hosting I think they should conceal the passwords but it's been like this for years so I don't hold my breath thinking they'll make any changes for this.

[WGS]

Finally, module is  ready now you can buy it here https://whmcsglobalservices.com/reset-client-password-whmcs-module/

 

 

[LittleCreek]

The way I have to do it now is change their email so that I get the password reset email. Then I can change the client's password to something I know. Then change the client's email back to what is was. Then email the client with the new password. Its very simple work around. It stupid reasoning to not allow an admin to change the client's password directly when it can be so easily circumvented.

[bear]

3 hours ago, LittleCreek said:

The way I have to do it now is change their email so that I get the password reset email. Then I can change the client's password to something I know. Then change the client's email back to what is was. Then email the client with the new password. Its very simple work around. It stupid reasoning to not allow an admin to change the client's password directly when it can be so easily circumvented.

Well of course it is. I think they actually broke functionality with the new user/owner system, and the fix was to remove that in favor of fixing it, all in the name of "security", because who can argue against security?

[ereemst]

This is really nonsens, we have a support desk for clients, 90% of our clients call us because they forget their password or still pay with bank direct. i am small company i want 100% control, the passwords field where broken years ago, but i could put in a new one or let it create one on the fly to give to the user by phone. Now we cant.. 

and after the reset in the email tab or log of the user the email proof of sending is not there? so clients call again telling me they did not get the email.

 

Again, another STUPID change that programmers can create a plugin for, same as subclients or reseller account creation. that is still not implemented.

 

Edited June 5, 2023 by ereemst

[WGS]

21 hours ago, ereemst said:

This is really nonsens, we have a support desk for clients, 90% of our clients call us because they forget their password or still pay with bank direct. i am small company i want 100% control, the passwords field where broken years ago, but i could put in a new one or let it create one on the fly to give to the user by phone. Now we cant.. 

and after the reset in the email tab or log of the user the email proof of sending is not there? so clients call again telling me they did not get the email.

 

Again, another STUPID change that programmers can create a plugin for, same as subclients or reseller account creation. that is still not implemented.

 

did you try our module?  https://whmcsglobalservices.com/reset-client-password-whmcs-module/

[LittleCreek]

3 hours ago, WGS said:

did you try our module?  https://whmcsglobalservices.com/reset-client-password-whmcs-module/

Why should we pay for something that was included originally and then removed. I am not longer getting what I was paying for. The fact that someone else can write a plugin to do it shows that its not that hard. I am switching to Blesta as fast as I can because of the attitude of WHMCS.

[WGS]

are you talking about whmcs default feature or module?

[LittleCreek]

WHMCS used to have this feature and then disable it or broke it. Now if we want to use this feature we have to pay for an extra module. I will switch to Blesta before I do this.  

[DennisHermannsen]

I've made a simple module that allows you to change your users' passwords:

 

[mrtechnik]

On 4/02/2023 at 5:45 PM, websavers said:

I'm confused as to how this is different from what's built in to WHMCS. They didn't remove this function, they just moved it to Users, which makes sense as Clients no longer have passwords - users do.

It's done in the WHMCS admin under The Client Account > Users > Click the arrow to the right of the user > Password Reset

That triggers the password reset process securely.

This is true and works. Well sort of. I have an issue at the moment where Client/User 1 is requesting a password reset or I request it as you have described but Client/User 2 is getting the reset email and it is a completely different email address.
 

Client 1 = ID 96
User 1 - ID 95
Client 2 = ID 97
User 2 = ID 96

As you can see from above, User 2 has the same ID as Client 1 and so the password reset is going to Client 1 rather than User 1!

[DennisHermannsen]

@WeaveStudios what version of WHMCS are you on? I remember that being an issue a long time ago when they introduced User Management.

[mrtechnik]

I am running  8.7.2. I know there is a minor update.

All I can think is that there might be an issue with the database. Like some updates haven't been applied when I have updated.