Difference between revisions of "Admin Password Hashing"

From WHMCS Documentation

 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Summary ==
+
When you upgrade to WHMCS 5.3.10 or later, the system will rehash each admin user's password automatically on the next successful login. The rehash will occur for either API authentication or an [[Admin Area]] authentication.
  
On upgrade to WHMCS 5.3.10 or later, each admin user will have their password automatically rehashed on their next successful login post upgrading.  The rehash will occur for either an API authentication or an Admin Area authentication.  The WHMCS admin(s) does not need to do anything in order to benefit from this low-level change in the product.
+
If you're performing a new installation of WHMCS 5.3.9 or later, the system will always hash your admin passwords with the latest cryptographically-secure mechanism available.
  
If you are performing a fresh install of WHMCS 5.3.9 (or beyond), your admin passwords will simply be hashed with the latest cryptographically secure mechanism available to your web server environment from the start.
+
== What You Need To Know ==
 +
 
 +
This security refinement occurs at a low level and, typically, you won't see any evidence of it in a standard WHMCS installation.
 +
 
 +
Only third-party integration developers that read and write admin authentication details directly from the database will notice this change. The specifics of the code will determine the complexity of change to make the integration functional again.
  
== What You Need To Know ==
+
The system only updates password hashes on successful login, when the application has the raw password and is able to establish a new hash.  Because the system stores admin passwords as one-way hashes, there is no way to perform a batch operation.
* This security refinement occurs at a low-level and will typically go unobserved in a standard WHMCS installation.
 
* Only 3rd-Party Integration Developers that read/write admin authentication details directly from the database will be affected by this change.  The specifics of what they’re doing in their code will determine the complexity of change required to make their integration functional again.
 
* Password hashes are only updated upon successful login; it is only then that the application has the raw password and is able to establish a new hash.  Because the admin password are stored as one-way hashes, there is no way to perform a batch operation.
 
  
 
== Public Documentation for Developers ==
 
== Public Documentation for Developers ==
Below is the '''''minimum''''' amount of code; it is far from adequate, assumes a lot, but demos the relevant class and methods.
 
  
A more thorough example script can be found here [http://www.whmcs.com/download/646/First-Factor-Verification-Demo Admin First Factor Verification Demo]
+
<div class="docs-alert-warning">
 +
<span class="title">Demonstration Only</span><br />
 +
The example below shows the '''minimum''' amount of code, as a demonstration of the relevant class and methods only. For a more thorough example, see [http://www.whmcs.com/download/646/First-Factor-Verification-Demo Admin First Factor Verification Demo].
 +
</div>
  
<source lang="php">
+
<div class="source-cli">
 
<?php
 
<?php
+
</br>
use WHMCS\Auth;
+
</br>use WHMCS\Auth;
+
</br>
$authAdmin = new Auth;
+
</br>$authAdmin = new Auth;
+
</br>
if ($authAdmin->getInfobyUsername($username) && $authAdmin->comparePassword($password)) {
+
</br>if ($authAdmin->getInfobyUsername($username) && $authAdmin->comparePassword($password)) {
    $isValid = true;
+
</br>    $isValid = true;
} else {
+
</br>} else {
    $isValid = false;
+
</br>    $isValid = false;
}
+
</br>}
</source>
+
</div>
  
<div class="docs-alert-warning">The above code sample is compatible with WHMCS Version 6.0 and later</div>
+
<div class="docs-alert-warning">
 +
<span class="title">About this example</span><br />
 +
The above code sample is compatible with WHMCS 6.0 and later.
 +
</div>
  
 
== Hash Schema ==
 
== Hash Schema ==
WHMCS 5.3.9 introduces application-level support and usage of two hash algorithms using cryptographically secure hashing routines.
+
[[Updating|WHMCS 5.3.9]] introduced application-level support and the Bcrypt and SHA256-HMAC hash algorithms using cryptographically secure hashing routines.
  
Both the Bcrypt and SHA256-HMAC algorithms and hashing routines are supported.  If the PHP version of the web server is 5.3.7 or greater, then Bcrypt will be used. Otherwise, if the web server is using a version of PHP that is less than 5.3.7, SHA256-HMAC will be used.
+
If the PHP version of the web server is 5.3.7 or greater, then the system uses Bcrypt. Otherwise, if the web server is using a version of PHP that is less than 5.3.7, the system will use SHA256-HMAC.

Latest revision as of 17:10, 18 April 2022

When you upgrade to WHMCS 5.3.10 or later, the system will rehash each admin user's password automatically on the next successful login. The rehash will occur for either API authentication or an Admin Area authentication.

If you're performing a new installation of WHMCS 5.3.9 or later, the system will always hash your admin passwords with the latest cryptographically-secure mechanism available.

What You Need To Know

This security refinement occurs at a low level and, typically, you won't see any evidence of it in a standard WHMCS installation.

Only third-party integration developers that read and write admin authentication details directly from the database will notice this change. The specifics of the code will determine the complexity of change to make the integration functional again.

The system only updates password hashes on successful login, when the application has the raw password and is able to establish a new hash. Because the system stores admin passwords as one-way hashes, there is no way to perform a batch operation.

Public Documentation for Developers

Demonstration Only
The example below shows the minimum amount of code, as a demonstration of the relevant class and methods only. For a more thorough example, see Admin First Factor Verification Demo.

<?php </br> </br>use WHMCS\Auth; </br> </br>$authAdmin = new Auth; </br> </br>if ($authAdmin->getInfobyUsername($username) && $authAdmin->comparePassword($password)) { </br> $isValid = true; </br>} else { </br> $isValid = false; </br>}

About this example
The above code sample is compatible with WHMCS 6.0 and later.

Hash Schema

WHMCS 5.3.9 introduced application-level support and the Bcrypt and SHA256-HMAC hash algorithms using cryptographically secure hashing routines.

If the PHP version of the web server is 5.3.7 or greater, then the system uses Bcrypt. Otherwise, if the web server is using a version of PHP that is less than 5.3.7, the system will use SHA256-HMAC.