Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Mass WHMCS Password Reset
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Mass WHMCS Password Reset

MaherMaher Member

Greetings,
Is there a possible way to reset all WHMCS client's passwords forcefully?

«1

Comments

  • YuraYura Member
    edited March 2017
    1. There is a $10 plugin for that. Called Bulk reset iirc
    2. Setup > General Settings > Security tab > Disable MD5 Clients Password. Not a good idea
    3. Go to database and change all hashes to something like "ohshit"
    Thanked by 3ehab yomero WSS
  • raindog308raindog308 Administrator, Veteran

    Is there...any reason you ask?

    Thanked by 2JahAGR WHT
  • YuraYura Member

    @raindog308 said:
    Is there...any reason you ask?

    ~

    @Yura said:
    something like "ohshit"

  • Deadpool?

  • pbgbenpbgben Member, Host Rep

    Hack?

  • WSSWSS Member

    @pbgben said:
    Hack?

    Yes, yes it is.

  • FlamesRunnerFlamesRunner Member
    edited March 2017

    Easy.

    Send a mass email detailing a forced password reset, and run:

    UPDATE `tblclients` set password=`ohshit`
    

    (on your WHMCS DB)

    Magic.

  • WSSWSS Member

    That would be magical if tblclients is also used for administration auth.

    Thanked by 1doghouch
  • @WSS

    Wouldn't that be fun :P

  • WSSWSS Member

    @FlamesRunner said:
    @WSS

    Wouldn't that be fun :P

    Yep. Then you can just set them all ='' and then no problem with password resets!

  • rm- rf easier.

  • HxxxHxxx Member

    You realize this guy might do it? Cmon guys, there is no common sense nowadays, don't inspire actions... plis.. LOL

  • hmmmmmmmmmm.

    What happened?

  • pbgbenpbgben Member, Host Rep

    @Hxxx said:
    You realize this guy might do it? Cmon guys, there is no common sense nowadays, don't inspire actions... plis.. LOL

    If they are stupid enough to no research/check what they are being told to do then they deserve it. Same principle as, if he jumped of a cliff, would you follow?

    Thanked by 2yomero lazyt
  • @pbgben said:

    @Hxxx said:
    You realize this guy might do it? Cmon guys, there is no common sense nowadays, don't inspire actions... plis.. LOL

    If they are stupid enough to no research/check what they are being told to do then they deserve it. Same principle as, if he jumped of a cliff, would you follow?

    Am I being chased by a grizzly? I might jump after him then.

  • pbgbenpbgben Member, Host Rep

    @MagicalTrain said:

    @pbgben said:

    @Hxxx said:
    You realize this guy might do it? Cmon guys, there is no common sense nowadays, don't inspire actions... plis.. LOL

    If they are stupid enough to no research/check what they are being told to do then they deserve it. Same principle as, if he jumped of a cliff, would you follow?

    Am I being chased by a grizzly? I might jump after him then.

    In that even I'll be sure to jump before him ;)

  • raindog308raindog308 Administrator, Veteran

    MagicalTrain said: Am I being chased by a grizzly?

    Yes you are. Right this moment.

    Good news is that he's coming from northern Alaska and bears are kind of slow, so you've got a few years.

    Thanked by 1MagicalTrain
  • @raindog308 said:

    MagicalTrain said: Am I being chased by a grizzly?

    Yes you are. Right this moment.

    Good news is that he's coming from northern Alaska and bears are kind of slow, so you've got a few years.

    Wheew. Thanks. Ill be sure to be a Karate black belt until then so I can fight it off.

  • MaherMaher Member

    @raindog308 said:
    Is there...any reason you ask?

    We want to make sure that all clients change their passwords on a regular basis.

  • MaherMaher Member

    @budi1413 said:
    Deadpool?

    try again later..

  • NeoonNeoon Community Contributor, Veteran
    edited March 2017

    @Maher said:

    @raindog308 said:
    Is there...any reason you ask?

    We want to make sure that all clients change their passwords on a regular basis.

    Well, your Hompage was not reachable at this time as you posted it, so its more likely for me that there was some kind of a breach and you turned your Page for security reasons offline.

    But okay.

  • joepie91joepie91 Member, Patron Provider
    edited March 2017

    @Maher said:

    @raindog308 said:
    Is there...any reason you ask?

    We want to make sure that all clients change their passwords on a regular basis.

    This is a terrible idea. All this will accomplish is encouraging people to pick poorer passwords, because now they regularly have to make an effort to remember/manage/sync their new password, so it's easier to just use shitty ones.

    All the while not actually improving security; passwords don't go "stale" in the first place, and an exploitation window of months after a credential leak is hardly going to be any better than an exploitation window of years.

    Thanked by 3ucxo jackb WSS
  • jackbjackb Member, Host Rep

    @joepie91 said:

    @Maher said:

    @raindog308 said:
    Is there...any reason you ask?

    We want to make sure that all clients change their passwords on a regular basis.

    This is a terrible idea. All this will accomplish is encouraging people to pick poorer passwords, because now they regularly have to make an effort to remember/manage/sync their new password, so it's easier to just use shitty ones.

    All the while not actually improving security; passwords don't go "stale" in the first place, and an exploitation window of months after a credential leak is hardly going to be any better than an exploitation window of years.

    Just in case he needs a business reason not to do this too... Large number of customers will get frustrated by this and not bother logging in ever again, particularly if it wasn't announced via email & done for good reason.

  • YuraYura Member

    @Maher, which of methods I suggested you followed or are you looking for something else?

  • MaherMaher Member

    @Yura said:
    @Maher, which of methods I suggested you followed or are you looking for something else?

    I'll use the bulk addon.

  • MaherMaher Member

    @joepie91 said:

    @Maher said:

    @raindog308 said:
    Is there...any reason you ask?

    We want to make sure that all clients change their passwords on a regular basis.

    This is a terrible idea. All this will accomplish is encouraging people to pick poorer passwords, because now they regularly have to make an effort to remember/manage/sync their new password, so it's easier to just use shitty ones.

    All the while not actually improving security; passwords don't go "stale" in the first place, and an exploitation window of months after a credential leak is hardly going to be any better than an exploitation window of years.

    How is it a terrible idea when you force someone to keep himself extra protected, poorer passwords? the bulk addon generates random passwords created with base64 encoding I assume, so they shouldn't be that easy to crack, however I wish if WHMCS decides one day to change their encryption method..

  • NeoonNeoon Community Contributor, Veteran
    edited March 2017

    @Maher said:

    @joepie91 said:

    @Maher said:

    @raindog308 said:
    Is there...any reason you ask?

    We want to make sure that all clients change their passwords on a regular basis.

    This is a terrible idea. All this will accomplish is encouraging people to pick poorer passwords, because now they regularly have to make an effort to remember/manage/sync their new password, so it's easier to just use shitty ones.

    All the while not actually improving security; passwords don't go "stale" in the first place, and an exploitation window of months after a credential leak is hardly going to be any better than an exploitation window of years.

    How is it a terrible idea when you force someone to keep himself extra protected, poorer passwords? the bulk addon generates random passwords created with base64 encoding I assume, so they shouldn't be that easy to crack, however I wish if WHMCS decides one day to change their encryption method..

    Base64?

  • WSSWSS Member

    Wait.. base64?

  • MaherMaher Member

    @WSS said:
    Wait.. base64?

    It generates a password in base64 format

  • WSSWSS Member

    That's pretty fucking stupid.

Sign In or Register to comment.