I just found out this:
Is this for server passwords or customers password or both?
I'm a bit shocked to be honest, in a bad way
Encryption is not the same as hashing and passwords should never be encrypted but hashed.
I had the impression WHMCS is hashing and then salting passwords. If you can decrypt passwords, it means they are not hashed and neither salted. Passwords are supposed to be irreversible in the database.
While I can understand some may require this for a customer login verification, this is unacceptable for storing server logins, in particular when most modules require root logins in order to provision services and a company would have all their server passwords stored in WHMCS since every module, like cPanel, Plesk, etc, requires to set the root logins.
Maybe someone can clarify this.
An ash I know there stands, a tall tree, connecting the nine worlds. Yggdrasill is its name.