Decrypt Client Passwords

[valorin]

I am trying to decrypt client passwords with no success.

 

I have tried both the API Function and the decrypt() function in functions.php and both return some weird characters, and not he password.

 

Is there a of decrypting client passwords?

[bear]

Why would you need this?

[wiresocket]

Yea i would find this a invasion of privacy.

 

There isnt a reason you should need this you have admin rights to do what is needed.

Edited March 25, 2009 by wiresocket

[valorin]

Yea i would find this a invasion of privacy.

 

Ha!

Go into your WHMCS installation, bring up a random client, and go to the 'Profile' page, and then look for the 'Password' field. By your reasoning, you have just invaded your clients privacy. How do you feel now?

 

We discovered that the admin section lets staff save clients without passwords, and then lets the clients login without passwords...

So in an effort to protect our clients privacy I was trying to implement a script to look for empty passwords, so we could then go through and update them to have a password.

 

As encrypted passwords aren't a static value (i.e. they change each time they are encrypted), it was impossible to check for an empty password without decrypting it first to see if it was empty.

 

So.... can you understand my intentions now?

[bear]

Are you suggesting that an empty string is also encoded in the db when no password is entered?

[valorin]

Yes, it will encrypt it so it looks no different to all the other clients that actually do have passwords.

[Matt]

No password won't allow login to take place. Try it again and don't be logged in as admin at the time.

 

Matt

[valorin]

I just did it a number of times on our installation, it let me straight in no problems.

We are running the latest version of WHMCS.

 

I was switching the 'Status' between the various options (Active, Inactive, Closed), so maybe that has something to do with it?

 

Edit: Ok, I just saw your "and dont be logged in as admin".. it doesn't appear to work when I logout of admin.

[valorin]

Ok, so it doesn't allow login with empty passwords for normal customers.

 

Is there anything that can be done about preventing it from working for staff as well?

[Matt]

Staff need to be able to login to client accounts and can do so without supplying the customers password, there would be no reason to prevent that. There is no issue here.

 

Matt

[edisplay]

I have a similar problem...

We found, after Mbill import, that some clients have empty password, so they can't login.

We found 3 clients with this problem, but we don't know if there are more.

It should be nice to find out all these clients and assign them a password befor they try to login with no success.

Is there a way to extract clients with empty password from db?

Thanks a lot

Alessandro

[bear]

It should be nice to find out all these clients and assign them a password befor they try to login with no success.

 

If you assign them a password, they still would not be able to log in because they wouldn't know the new one.

[edisplay]

yes, but there is an email template to remind them username and password ("client area details reminder")

[floyd]

It does not "remind" of the password. It resets the password to something random.

 

I used to be able to tell clients what their password was over the phone. Now the only way is to reset the password which really makes me mad. It creates more work for me. I really hate this new security "feature."

 

It forces me to store their password elsewhere as well when they signup or change their password so that I can tell them later what it is. I just have to create an extra function in the skin to do what I need to do.

Edited June 4, 2009 by floyd