Importing Passwords from Modernbill

[acenetryan]

We are importing our users from Modernbill to WHMCS.

 

We found some time ago that Modernbill insecurely stores all of the user passwords in plaintext in the database and wrote some inhouse cron jobs to regularly go through the plaintext fields and xxxxxxxx out the data. These passwords seem to be used for retrieving the password when the user forgets it and the real MD5 hashes that are stored are what is used for the login. Seems kind of silly to me, why even bother with the conversion to MD5 if you're going to store the passwords in plaintext. Not that I encourage this.

 

Anyways. It looks like WHMCS uses a two way encryption because I was unable to find any fields which store the password in plaintext (Good!) and the password reset link actually sends the password to the user over email rather than giving them a reset link.

 

Herein lies my problem. During the import, the WHMCS script must use the plaintext password which creates a problem for us, we'll have to manually reset all of our user's passwords.

 

So far, a viable solution for us seems to be reset the plaintext password in Modernbill right before we import. At least then all of the passwords will be different and the client can retrieve it via the Request a Password Reminder link in WHMCS.

 

So long story short, it seems that there is no way for us maintain our customer's current passwords if we make the switch since WHMCS doesn't use MD5 as the login method.

 

Any thoughts?

[Matt Wade]

I think you pretty much covered it .