Difference between revisions of "Admin Password Hashing"
Line 1: | Line 1: | ||
== Summary == | == Summary == | ||
− | + | When you upgrade to WHMCS 5.3.10 or later, the system will rehash each admin user's password automatically on the next successful login. The rehash will occur for either API authentication or an Admin Area authentication. WHMCS admins don't need to do anything to benefit from this low-level change in the product. | |
− | If you | + | If you're performing a new installation of WHMCS 5.3.9 (or beyond), the system will always hash your admin passwords with the latest cryptographically-secure mechanism available. |
== What You Need To Know == | == What You Need To Know == | ||
− | + | ||
− | + | This security refinement occurs at a low level and, typically, you won't see any evidence of it in a standard WHMCS installation. | |
− | + | ||
+ | Only third-party integration developers that read and write admin authentication details directly from the database will notice this change. The specifics of the code will determine the complexity of change to make the integration functional again. | ||
+ | |||
+ | The system only updates password hashes on successful login, when the application has the raw password and is able to establish a new hash. Because the system stores admin passwords as one-way hashes, there is no way to perform a batch operation. | ||
== Public Documentation for Developers == | == Public Documentation for Developers == | ||
− | |||
− | + | <div class="docs-alert-warning"> | |
+ | <span class="title">Demonstration Only</span><br /> | ||
+ | The example below shows the '''minimum''' amount of code, as a demonstration of the relevant class and methods only. For a more thorough example, see [http://www.whmcs.com/download/646/First-Factor-Verification-Demo Admin First Factor Verification Demo]. | ||
+ | </div> | ||
− | < | + | <div class="source-cli"> |
<?php | <?php | ||
− | + | </br> | |
− | use WHMCS\Auth; | + | </br>use WHMCS\Auth; |
− | + | </br> | |
− | $authAdmin = new Auth; | + | </br>$authAdmin = new Auth; |
− | + | </br> | |
− | if ($authAdmin->getInfobyUsername($username) && $authAdmin->comparePassword($password)) { | + | </br>if ($authAdmin->getInfobyUsername($username) && $authAdmin->comparePassword($password)) { |
− | + | </br> $isValid = true; | |
− | } else { | + | </br>} else { |
− | + | </br> $isValid = false; | |
− | } | + | </br>} |
− | </ | + | </div> |
− | <div class="docs-alert-warning">The above code sample is compatible with WHMCS Version 6.0 and later</div> | + | <div class="docs-alert-warning"> |
+ | <span class="title">About this example</span><br /> | ||
+ | The above code sample is compatible with WHMCS Version 6.0 and later | ||
+ | </div> | ||
== Hash Schema == | == Hash Schema == | ||
− | WHMCS 5.3.9 introduces application-level support and | + | WHMCS 5.3.9 introduces application-level support and the Bcrypt and SHA256-HMAC hash algorithms using cryptographically secure hashing routines. |
− | + | If the PHP version of the web server is 5.3.7 or greater, then the system uses Bcrypt. Otherwise, if the web server is using a version of PHP that is less than 5.3.7, the system will use SHA256-HMAC. |
Revision as of 20:31, 27 May 2020
Summary
When you upgrade to WHMCS 5.3.10 or later, the system will rehash each admin user's password automatically on the next successful login. The rehash will occur for either API authentication or an Admin Area authentication. WHMCS admins don't need to do anything to benefit from this low-level change in the product.
If you're performing a new installation of WHMCS 5.3.9 (or beyond), the system will always hash your admin passwords with the latest cryptographically-secure mechanism available.
What You Need To Know
This security refinement occurs at a low level and, typically, you won't see any evidence of it in a standard WHMCS installation.
Only third-party integration developers that read and write admin authentication details directly from the database will notice this change. The specifics of the code will determine the complexity of change to make the integration functional again.
The system only updates password hashes on successful login, when the application has the raw password and is able to establish a new hash. Because the system stores admin passwords as one-way hashes, there is no way to perform a batch operation.
Public Documentation for Developers
Demonstration Only
The example below shows the minimum amount of code, as a demonstration of the relevant class and methods only. For a more thorough example, see Admin First Factor Verification Demo.
<?php </br> </br>use WHMCS\Auth; </br> </br>$authAdmin = new Auth; </br> </br>if ($authAdmin->getInfobyUsername($username) && $authAdmin->comparePassword($password)) { </br> $isValid = true; </br>} else { </br> $isValid = false; </br>}
About this example
The above code sample is compatible with WHMCS Version 6.0 and later
Hash Schema
WHMCS 5.3.9 introduces application-level support and the Bcrypt and SHA256-HMAC hash algorithms using cryptographically secure hashing routines.
If the PHP version of the web server is 5.3.7 or greater, then the system uses Bcrypt. Otherwise, if the web server is using a version of PHP that is less than 5.3.7, the system will use SHA256-HMAC.