zippohosting Posted June 7, 2009 Share Posted June 7, 2009 We noticed that in version 4 we are unable to view a client's password in their profile summary page. After the upgrade to 4.0 that WHMCS performed we noticed a change that has effected our clients. 1. Login to the admin center 2. Click on a client 3. Click on Profile 4. The profile password is MISSING - it just says "Enter to Change" - no matter what we type there it is NEVER DISPLAYED. How do we get their profile password displayed? Many of our clients keep entering this information over and over and over because it says "Enter To Change" and when they do enter it they get the same message. From an Admin aspect we need to see the password as well when they call asking us to provide it to them. 0 Quote Link to comment Share on other sites More sharing options...
chickendippers Posted June 7, 2009 Share Posted June 7, 2009 Hi, This is a security change in v4, passwords are irreversibly encrypted. See the big discussion thread for more. 0 Quote Link to comment Share on other sites More sharing options...
zippohosting Posted June 7, 2009 Author Share Posted June 7, 2009 Well I read all of those and became very confused. I was hoping someone found a way to do it. Every business practice is unique and this aspect of not being able to see passwords - even the client themselves is going to be a customer service nightmare. Thanks for your reply. 0 Quote Link to comment Share on other sites More sharing options...
striddy Posted June 7, 2009 Share Posted June 7, 2009 Have you upgraded to 4.0.1 yet? 0 Quote Link to comment Share on other sites More sharing options...
zippohosting Posted June 7, 2009 Author Share Posted June 7, 2009 Yep - Matt and his team did it for me. So I have the latest version and I just checked and it says 4.0.1 0 Quote Link to comment Share on other sites More sharing options...
nixell Posted June 7, 2009 Share Posted June 7, 2009 i using 4.0.1 but cant see password 0 Quote Link to comment Share on other sites More sharing options...
chickendippers Posted June 7, 2009 Share Posted June 7, 2009 That wasn't one of the changes is 4.0.1 0 Quote Link to comment Share on other sites More sharing options...
zippohosting Posted June 7, 2009 Author Share Posted June 7, 2009 WHMCS Version: 4.0.1 PHP Version: 5.2.9 MySQL Version: 4.1.22-standard Can not see the passwords for clients, can for their hosting accounts obviously... 0 Quote Link to comment Share on other sites More sharing options...
keliix06 Posted June 7, 2009 Share Posted June 7, 2009 There is nothing you will be able to do to see the passwords. They are one way encrypted. 0 Quote Link to comment Share on other sites More sharing options...
merlinpa1969 Posted June 8, 2009 Share Posted June 8, 2009 lol, look in the welcome email that was sent... you have it stored... its in there 0 Quote Link to comment Share on other sites More sharing options...
Lawrence Posted June 8, 2009 Share Posted June 8, 2009 lol, look in the welcome email that was sent... you have it stored... its in there As long as you don't empty out the e-mail logs, it will be there for you 0 Quote Link to comment Share on other sites More sharing options...
SilverNodashi Posted June 8, 2009 Share Posted June 8, 2009 This feature has been disabled, due to "security reasons", yet more and more people actually use it. I still think it should be put back 0 Quote Link to comment Share on other sites More sharing options...
keliix06 Posted June 8, 2009 Share Posted June 8, 2009 This was a "feature" that never should have existed in the first place. It's a good thing they have fixed it. At this point, even if they wanted to change it back, you wouldn't be able to see any of the passwords since they are encrypted. 0 Quote Link to comment Share on other sites More sharing options...
Zeon Posted June 8, 2009 Share Posted June 8, 2009 I've found that knowing the client's password allows a more personalized service. Sure there should be an option to disable it for those who don't want it but for those who do there should also be that option. 0 Quote Link to comment Share on other sites More sharing options...
jnet Posted June 9, 2009 Share Posted June 9, 2009 To see clients password is privacy issue. I am happy that it was fixed I am not interested in knowing their password. 0 Quote Link to comment Share on other sites More sharing options...
johannes Posted June 12, 2009 Share Posted June 12, 2009 I can see also advantages, I have friends and customers who contacting me directly and ask a) for password because they cant find right now or b) how to do this or that inside whmcs, so it would be a good thing to be able to login as customer in their accounts to provide exactly help. I understand also the security option view. So far from this I would say the best would be to have a choice. This thing with one-way-encryption seems also to be a wired thing in many threads here, where people try to integrate the whmcs-login with other cms (eg. joomla. wordpress, .. every is MD5 in databases, but no chance to get it with whmcs encryption..) And the really best would be to have both: the choice if/if not to see the client-pw, and the option to choose how the datas are encrypted in the database. This is my personal wisheslist for the next whmcs-version. 0 Quote Link to comment Share on other sites More sharing options...
openmind Posted June 12, 2009 Share Posted June 12, 2009 I really fail to see the problem with the client password encoded or not. The 4.0.1 patch introduced the ability to get the md5 encoded password by supplying the clients email so where's the problem? 0 Quote Link to comment Share on other sites More sharing options...
SilverNodashi Posted June 12, 2009 Share Posted June 12, 2009 To see clients password is privacy issue. I am happy that it was fixedI am not interested in knowing their password. How exactly is that a privicy issue? You have his website, his email accounts, his databases (which could very well contain a LOT MORE private info than a password for this WHMCS account) and could very very easily do MUCH more harm with that, then his WHMCS password. This is a needed feature by MANY, and if you don't trust yourself, or your staff then neither you or they should work for a hosting company. 0 Quote Link to comment Share on other sites More sharing options...
merlinpa1969 Posted June 12, 2009 Share Posted June 12, 2009 I have friends and customers who contacting me directly and ask a) for password because they cant find right now You actually verbally give users their password...... not here and anyone that I catch doing that will be headed for unemployment... if they cant remember their password then they can 1 use the forgot password link 2 put in a ticket and we will resend the welcome email ( ONLOY to the email address on record ) 0 Quote Link to comment Share on other sites More sharing options...
9DollarDomains Posted June 12, 2009 Share Posted June 12, 2009 My understanding from another thread is that if the client uses the 'forgotten password' link, it'll generate them a new random password and send that to them. If that is correct, that's the part that I have a problem with. Personally - I think that a full 'root' admin should be able to view everything - but I mainly don't want the system changing their passwords to random ones. 0 Quote Link to comment Share on other sites More sharing options...
merlinpa1969 Posted June 12, 2009 Share Posted June 12, 2009 WHY then they can login and change it again 0 Quote Link to comment Share on other sites More sharing options...
keliix06 Posted June 13, 2009 Share Posted June 13, 2009 (edited) ask a) for password because they cant find right now http://www.yourwhmcssite.com/passwordreminder.php or b) how to do this or that inside whmcs, so it would be a good thing to be able to login as customer in their accounts to provide exactly help. When looking at the client in the admin panel there is a link that says "Login as Client". Click that to login as them. You don't need access to their password to do that. I really fail to see the problem with the client password encoded or not. The 4.0.1 patch introduced the ability to get the md5 encoded password by supplying the clients email so where's the problem? No it didn't. While that's technically possible, it's not feasible and not something WHMCS would do. They can get a new password emailed to them, but it can't recover their old password. 2 put in a ticket and we will resend the welcome email ( ONLOY to the email address on record ) The welcome email can't tell them their password, it's encrypted. It's sent as ********. The only two ways they can get a password if they've forgotten it is using the password reminder your you manually resetting it in the admin panel and telling them directly, outside of a welcome email. Edited June 13, 2009 by keliix06 0 Quote Link to comment Share on other sites More sharing options...
djpete Posted June 13, 2009 Share Posted June 13, 2009 by the way the prompt is really misleading. It says: If you have forgotten your Client Area password, then enter your email address below to have it sent to that address. I have changed mine to: If you have forgotten your Client Area password, then enter your email address below to have it reset and sent to that address. 0 Quote Link to comment Share on other sites More sharing options...
johannes Posted June 13, 2009 Share Posted June 13, 2009 The 4.0.1 patch introduced the ability to get the md5 encoded password by supplying the clients email so where's the problem? if the original mail is deleted from the queue or logs, theres no way to get it again. it`ll resend a new one if you hit forgotten pw resend. and this is not what i need or my customers, some of them change it to their own (they want to be able to remember) and want that to do, so i must be able to read it in any way. i am the admin, so if i cant read it, what am i for a admin?? @merlinpa1969 - please dont take my head, i know my people on telefon and have reasons for that. its nothing what i would do with unknown people from whmcs or internet.. .. forgot pw link brings new pw, but i need the original (or that choosen by my customers) ... resend welcome mail dont show up the pw, it shows ***, its only possible if the original logs/queue are not deleted. @9DollarDomains - yeah, thats what i mean. as simple backup solution i store all pw`s encrypted on txt file and i am prepared for every question to every time. @keliix06 wrote "When looking at the client in the admin panel there is a link that says "Login as Client". Click that to login as them. You don't need access to their password to do that." - thank you , i`ve overseen that. but still i want to be able to read it (and however it would be good to know kind of encryption or having MD5 for possible bridges to cms) would it be a disadvantage (or security hole) for them who like it in the new way, if this would be an option to choose if readable (old way) or not (new way)? i think the code is already there for both ways, so it could be something like a checkbox? 0 Quote Link to comment Share on other sites More sharing options...
9DollarDomains Posted June 14, 2009 Share Posted June 14, 2009 WHY then they can login and change it againYes, I know. It's a PITA. Like some others on here, most of my customers are known to me personally - I recognize their voices on the phone, I know them to see them - they've counted on me for years to be able to quickly and easily provide them all sorts of info, including forgotten passwords. They will email me files and ask me to upload them to their site - and I like being able to lookup user/pass so that I can do that. Often their MySQL passwords will be the same as their FTP/CPanel passwords, so again - I like being able to look it up and it's always helped me service my customers. Fundamentally - I see no security advantage to having a full 'root' admin not being able to see all info, including passwords. 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.