Re: Decrypt Passwords
Well, they don't specify what passwords they are talking about with the feature. I assumed passwords for servers are not hashed, as WHMCS needs to use them for automation. But users passwords accounts should be hashed and salted.
As for the other thing you mentioned, I think you are a bit mistaken here when it comes to security. The WHM hash key acts just like a long password and nothing more. There is no difference between using that and setting up a password. They grant you the same access. (hash = key = long password)
As for not using the root hash key and using a Reseller account instead, you may be right except (account with fewer privileges) not everything works with a regular cPanel Reseller account. I tested this in the past, and the Reseller in WHM requires to have the option Super Privileges set to on for WHMCS. I can't remember what features didn't work with WHMCS or if it was some module that didn't work, but that option had to be turned on.
So if you use a Reseller account with that option ON, that is similar to using a root account. No difference, it's like just giving root privileges to an account with another name on Linux or giving administrators right to someone on Windows. So it doesn't matter if you call it "root" or "joe", if that account is super admin, someone with access to those logins has the same access as someone with root.
If someone steals your HASH you are in almost the same troubles as someone stealing a server password, and if the Reseller account you are using has Super Privileges set to ON, that is like using root anyway.
Other modules (not cPanel) don't have that Hash option either or don't work with accounts with fewer privileges. They require root password for most stuff. Ouch !!!
An ash I know there stands, a tall tree, connecting the nine worlds. Yggdrasill is its name.