Difference between revisions of "Admin Password Hashing"
(→Public Documentation for Developers) |
|||
| (5 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | When you upgrade to WHMCS 5.3.10 or later, the system will rehash each admin user's password automatically on the next successful login. The rehash will occur for either API authentication or an [[Admin Area]] authentication. | |
| − | + | If you're performing a new installation of WHMCS 5.3.9 or later, the system will always hash your admin passwords with the latest cryptographically-secure mechanism available. | |
| − | + | == What You Need To Know == | |
| − | + | This security refinement occurs at a low level and, typically, you won't see any evidence of it in a standard WHMCS installation. | |
| − | + | Only third-party integration developers that read and write admin authentication details directly from the database will notice this change. The specifics of the code will determine the complexity of change to make the integration functional again. | |
| − | + | ||
| − | + | The system only updates password hashes on successful login, when the application has the raw password and is able to establish a new hash. Because the system stores admin passwords as one-way hashes, there is no way to perform a batch operation. | |
| − | |||
== Public Documentation for Developers == | == Public Documentation for Developers == | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | <div class="docs-alert-warning"> | |
| + | <span class="title">Demonstration Only</span><br /> | ||
| + | The example below shows the '''minimum''' amount of code, as a demonstration of the relevant class and methods only. For a more thorough example, see [http://www.whmcs.com/download/646/First-Factor-Verification-Demo Admin First Factor Verification Demo]. | ||
| + | </div> | ||
| − | < | + | <div class="source-cli"> |
<?php | <?php | ||
| − | $authAdmin = new | + | </br> |
| − | if ($authAdmin->getInfobyUsername($username) | + | </br>use WHMCS\Auth; |
| − | + | </br> | |
| − | ) { | + | </br>$authAdmin = new Auth; |
| − | $isValid = true; | + | </br> |
| − | } else | + | </br>if ($authAdmin->getInfobyUsername($username) && $authAdmin->comparePassword($password)) { |
| − | $isValid = false; | + | </br> $isValid = true; |
| − | } | + | </br>} else { |
| − | </ | + | </br> $isValid = false; |
| + | </br>} | ||
| + | </div> | ||
| − | + | <div class="docs-alert-warning"> | |
| + | <span class="title">About this example</span><br /> | ||
| + | The above code sample is compatible with WHMCS 6.0 and later. | ||
| + | </div> | ||
== Hash Schema == | == Hash Schema == | ||
| − | WHMCS 5.3.9 | + | [[Updating|WHMCS 5.3.9]] introduced application-level support and the Bcrypt and SHA256-HMAC hash algorithms using cryptographically secure hashing routines. |
| − | + | If the PHP version of the web server is 5.3.7 or greater, then the system uses Bcrypt. Otherwise, if the web server is using a version of PHP that is less than 5.3.7, the system will use SHA256-HMAC. | |
Latest revision as of 17:10, 18 April 2022
When you upgrade to WHMCS 5.3.10 or later, the system will rehash each admin user's password automatically on the next successful login. The rehash will occur for either API authentication or an Admin Area authentication.
If you're performing a new installation of WHMCS 5.3.9 or later, the system will always hash your admin passwords with the latest cryptographically-secure mechanism available.
What You Need To Know
This security refinement occurs at a low level and, typically, you won't see any evidence of it in a standard WHMCS installation.
Only third-party integration developers that read and write admin authentication details directly from the database will notice this change. The specifics of the code will determine the complexity of change to make the integration functional again.
The system only updates password hashes on successful login, when the application has the raw password and is able to establish a new hash. Because the system stores admin passwords as one-way hashes, there is no way to perform a batch operation.
Public Documentation for Developers
Demonstration Only
The example below shows the minimum amount of code, as a demonstration of the relevant class and methods only. For a more thorough example, see Admin First Factor Verification Demo.
<?php </br> </br>use WHMCS\Auth; </br> </br>$authAdmin = new Auth; </br> </br>if ($authAdmin->getInfobyUsername($username) && $authAdmin->comparePassword($password)) { </br> $isValid = true; </br>} else { </br> $isValid = false; </br>}
About this example
The above code sample is compatible with WHMCS 6.0 and later.
Hash Schema
WHMCS 5.3.9 introduced application-level support and the Bcrypt and SHA256-HMAC hash algorithms using cryptographically secure hashing routines.
If the PHP version of the web server is 5.3.7 or greater, then the system uses Bcrypt. Otherwise, if the web server is using a version of PHP that is less than 5.3.7, the system will use SHA256-HMAC.