Client Passwords

[DH_Mark]

Which encryption are client passwords using now? I thought it was md5.

 

I have a login script I'm working on (for trouble tickets) and a test client. The password in WHMCS is 'test' (verified by logging in WHMCS just for kicks). I attempted to login via my script using md5(), and upon submission it displays the results from the API function getclientsdatabyemail and it displays the hash from WHMCS. The two do not match.

 

 

098f6bcd4621d373cade4e832627b4f6

 

is the md5 using md5()

 

1c1b72c5f8b3ab2da7f8c53bede50da4:IwKMY

 

is what WHMCS is giving me. Am I missing something?

[bmarchi]

I also would like to know.

 

somebody?

[beboo]

Same here. I'm developing a panel for integration into other services and was doing the same thing as Mark but now it's not working. I also tried using decryptpassword on the returned password and got funny characters (which i've seen in using md5("password",true)) so i tested that as well to no avail. Also tried using encryptpassword on the submitted password and comparing and they don't match either.

 

Can anyone from WHMCS chime in here and tell us what is different?

 

Thanks.

[eccen]

So... does anyone know this?

[Damo]

You can use the following API call to get the MD5 hash to compare.

 

http://wiki.whmcs.com/API:Get_Clients_Password

[tomdchi]

its MD5 but its using a salt as well and thats why its different. The salt is the part after the : when you look up the password in the database.

The API function linked above is not what you want. It only returns the password as set in the database. In order to get it to work you would have to use the encrypt function in the API and encrypt what the user enters and then compare that with what is in the database. http://wiki.whmcs.com/API:Encrypt_Password

Edited May 23, 2010 by tomdchi