Mass WHMCS Password Reset

WSS

Unless you mean it makes a random password from an array, sets that to base64, and uses that as the password, which is then properly salted, et al..

WSS

Then it's just lazy.

FlamesRunner

I don't know what you're thinking @Maher, but base64 can be decrypted undone by using the PHP function base64_decode.

It's a format to encode text, not encrypt.

You're looking at SHA/crypt/etc to store passwords, and with at least a somewhat secure salt.

Yura

There should be a market for Managed VPS business by analogy with managed server services.

WSS

BASE64

WHEN CAESAR JUST ISN'T GOOD ENOUGH

Yura

Bruce Schneier called and said he won't be around for a week or so. Heavy drinking. Lost faith in humanity.

Maher

I didnt say the password is encoded in base64.
All I said was that the php script generates passwords for users using the base64 format and then encrypts them with md5 using salt

WSS

So, it's lazy. Feel free to use mine instead.

joepie91

@Maher said:

@joepie91 said:

@Maher said:

@raindog308 said:
Is there...any reason you ask?

We want to make sure that all clients change their passwords on a regular basis.

This is a terrible idea. All this will accomplish is encouraging people to pick poorer passwords, because now they regularly have to make an effort to remember/manage/sync their new password, so it's easier to just use shitty ones.

All the while not actually improving security; passwords don't go "stale" in the first place, and an exploitation window of months after a credential leak is hardly going to be any better than an exploitation window of years.

How is it a terrible idea when you force someone to keep himself extra protected, poorer passwords? the bulk addon generates random passwords created with base64 encoding I assume, so they shouldn't be that easy to crack, however I wish if WHMCS decides one day to change their encryption method..

@Maher said:
I didnt say the password is encoded in base64.
All I said was that the php script generates passwords for users using the base64 format and then encrypts them with md5 using salt

What the flipping hell are you going on about?

1. Frequent password changes do not keep people extra protected, they do the exact opposite. There's absolutely no security benefit to it whatsoever. Zero, zilch, nada, none. It's cargo cult nonsense from people who want to make themselves feel more secure without actually understanding security (which, unfortunately, is a group you seem to belong to, given the rest of your responses).
2. base64 is an encoding format/algorithm, it doesn't "generate" anything. It turns bytes into bytes with a more limited printable character range at the cost of a 33% length increase. It has fuck all to do with either passwords or 'generating' anything.
3. base64 has nothing to do with "easy to crack" either. There's nothing to "crack". It's a deterministic lossless encoding algorithm. There's no key. No cryptography. At all.
4. MD5 does not "encrypt" anything, it's a hashing function. Hashing and encryption are two completely different things.

Seriously, go have a read here, please. You have no clue what you're talking about.

(Also, holy shit, I would never host anything with a provider that's this clueless about security and doesn't recognize it.)

Maher

This is how a base64 format looks a like .
https://gyazo.com/160a9f04c40c891edb05dd1eea59f65b

WSS

@joepie91 I figured what he was speaking about yesterday. As he just demonstrated, it's just pure laziness. Taking some arbitrary randomness and base64 encoding that (possibly stripping the padding =; didn't check). It's laziness, and possibly not that difficult to reverse- depending on the source of the "Random" seed used. But, yeah, I was assuming he meant that they stored the data as a simple base64 encoding- maybe with a simple xor or otherwise stuck in there for the hell of it.

PieHasBeenEaten

Just admit you got hacked man! No one does a mass passwd reset for just the hell of it. Only if they got hacked or fear of something was stolen. The op's excuse is pretty lame.