Encryption System for client passwords?

[vT16]

Hello,

 

We have made our own looking login system a bit more advanced then WHMCS's one, therefor we need to know how to encryption works / what method you are using..

 

If it's crypted, hashed etc, the method that is used to decrypt and verify the password the moment the client logs in..

 

Thanks,

[chickendippers]

http://forum.whmcs.com/showthread.php?t=19143 under "Security"

[vT16]

There is not just MD5, but also some kind of salt or something?

[chickendippers]

That's all that's publicly been released. If you need more then you'll have to contact tech support.

[openmind]

From what I can tell it's an irreversible MD5 hash so you won't be able to decrypt it. I would use the API to get the client password...

 

On a side note, I personally think it's a bit of a waste of time as if someone has compromised your database you're screwed anyway

[vT16]

If you read my original post then you will see why we need this...

[openmind]

And if you read mine you will see the passwords cannot be decrypted

 

Use the API, it works and does exactly what is says on the tin...

[vT16]

The API is not updated / does not work with Version 4. It just returns the md5 value.

[ckh]

md5 encryption can't be decrypted, so that's all you are going to get...

[jozeph]

In this case, the get client password on API will return only the md5 hash?

[vT16]

I am not requiring that the password is going to be decrypted, all i need to know is how the password function is setup with what MD5 value and how exactly the extra seed value functions..

 

I shouldn't be required to use the built in WHMCS login module if i don't want or need to... The fact that the password now get's encrypted (very good) but it also force us to remove the WHMCS login form and make a complete new one to get the extra login functions we want and require. As we have yet been able to figure out how we can get our client's logged in trough a custom login form instead of WHMCS's form.

[nhudson]

I am not requiring that the password is going to be decrypted, all i need to know is how the password function is setup with what MD5 value and how exactly the extra seed value functions..

 

I shouldn't be required to use the built in WHMCS login module if i don't want or need to... The fact that the password now get's encrypted (very good) but it also force us to remove the WHMCS login form and make a complete new one to get the extra login functions we want and require. As we have yet been able to figure out how we can get our client's logged in trough a custom login form instead of WHMCS's form.

 

What could you possibly need to modify on the login form that you can't already do using templates and action hooks?

[vT16]

For an example, integration and use of alternative login methods like AOL, Logmein, or the popular OpenID ?

 

We have had it for a long time with v3, but with v4 it was difficult to implant as we haven't been able to figure out how we can login the client when all we know is that it's MD5, we also needs to know how the seed value is setup and function.

[FazeWire Web Services]

You need to contact support, they are not going to just give away how they encrypt passwords on the most popular billing/support suite in the world on a public forum.

[vT16]

I have been in touch with them.

[vT16]

After some testing back and forth, then we found out how the hash is setup

[atDev]

Are you allowed to share? If not, can someone confirm the API encrypt password method words for v4?

[ckh]

No ones going to do that in an open forum and you really shouldn't ask that here.

 

Put in a support ticket and ask there.

[atDev]

No ones going to do that in an open forum and you really shouldn't ask that here.

 

Put in a support ticket and ask there.

 

Agreed, I didn't expect it to be shared in the forum, simply via a PM. Either way, nevermind figured it out.

[vT16]

PW + Salt = Password Hash

[vT16]

ID - Password Hash - Visitors IP = Passoword Hash

[hireahit]

You need to contact support, they are not going to just give away how they encrypt passwords on the most popular billing/support suite in the world on a public forum.

 

With all due respect, if every single component of an encryption scheme (beyond the password or other details which are configuration data rather then part of the original source) can't be shared publicly without compromising security, it's broken by design.

 

Security by obscurity doesn't work, at least not against an enemy who is sufficiently interested (or bored)