Community Forums

Discuss, share and get help from our community of friendly WHMCS users

Close
Login to Your Account
Results 1 to 3 of 3
  1. #1
    Join Date
    Aug 2014
    Posts
    354

    Default Decrypt Passwords

    I just found out this:
    https://developers.whmcs.com/api-ref...cryptpassword/

    Is this for server passwords or customers password or both?

    I'm a bit shocked to be honest, in a bad way

    Encryption is not the same as hashing and passwords should never be encrypted but hashed.

    I had the impression WHMCS is hashing and then salting passwords. If you can decrypt passwords, it means they are not hashed and neither salted. Passwords are supposed to be irreversible in the database.
    While I can understand some may require this for a customer login verification, this is unacceptable for storing server logins, in particular when most modules require root logins in order to provision services and a company would have all their server passwords stored in WHMCS since every module, like cPanel, Plesk, etc, requires to set the root logins.

    Maybe someone can clarify this.
    An ash I know there stands, a tall tree, connecting the nine worlds. Yggdrasill is its name.

  2. #2
    Join Date
    Dec 2016
    Posts
    28

    Default Re: Decrypt Passwords

    Yes. Passwords for servers are reversible, if you use them. cPanel and some other software offers an access hash which you can restrict to IPs (aka, the WHMCS server) - so you would just use the username + access hash.

    You don't have to use the root password in this case! Actually, never use the root password or root account. Create a reseller account with root reseller privileges.

    If we don't have a password or access hash for the server you can not use automatic setup.

    Your password is encrypted with the hash set in your configuration file (do not change this) so other installations of WHMCS can not decrypt your passwords or hashes.

    See "Add a cPanel Server": http://docs.whmcs.com/CPanel/WHM#Adding_a_cPanel_Server

    I am fairly sure you can create a new Plesk reseller account with a different username and also restrict its IP to the WHMCS installation.

  3. #3
    Join Date
    Aug 2014
    Posts
    354

    Default Re: Decrypt Passwords

    Well, they don't specify what passwords they are talking about with the feature. I assumed passwords for servers are not hashed, as WHMCS needs to use them for automation. But users passwords accounts should be hashed and salted.

    As for the other thing you mentioned, I think you are a bit mistaken here when it comes to security. The WHM hash key acts just like a long password and nothing more. There is no difference between using that and setting up a password. They grant you the same access. (hash = key = long password)


    As for not using the root hash key and using a Reseller account instead, you may be right except (account with fewer privileges) not everything works with a regular cPanel Reseller account. I tested this in the past, and the Reseller in WHM requires to have the option Super Privileges set to on for WHMCS. I can't remember what features didn't work with WHMCS or if it was some module that didn't work, but that option had to be turned on.


    So if you use a Reseller account with that option ON, that is similar to using a root account. No difference, it's like just giving root privileges to an account with another name on Linux or giving administrators right to someone on Windows. So it doesn't matter if you call it "root" or "joe", if that account is super admin, someone with access to those logins has the same access as someone with root.


    If someone steals your HASH you are in almost the same troubles as someone stealing a server password, and if the Reseller account you are using has Super Privileges set to ON, that is like using root anyway.


    Other modules (not cPanel) don't have that Hash option either or don't work with accounts with fewer privileges. They require root password for most stuff. Ouch !!!
    An ash I know there stands, a tall tree, connecting the nine worlds. Yggdrasill is its name.

Similar Threads

  1. Password Decrypt?
    By alinford in forum General Discussion
    Replies: 1
    Last Post: 11-07-11, 12:22 AM
  2. Decrypt Client Passwords
    By valorin in forum Using WHMCS
    Replies: 13
    Last Post: 06-04-09, 09:57 PM
  3. Password encrypt/decrypt function?
    By polyglot2 in forum Using WHMCS
    Replies: 6
    Last Post: 03-28-08, 04:07 PM
  4. Decrypt Cpanel password?
    By milomaxwell in forum Using WHMCS
    Replies: 3
    Last Post: 01-08-08, 09:56 PM
  5. AES_encrypt/decrypt support in MySQL
    By macconnect in forum Using WHMCS
    Replies: 0
    Last Post: 07-03-07, 12:36 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •