Admin Password Hashing

From WHMCS Documentation

Revision as of 20:31, 27 May 2020 by SarahK (talk | contribs)

Summary

When you upgrade to WHMCS 5.3.10 or later, the system will rehash each admin user's password automatically on the next successful login. The rehash will occur for either API authentication or an Admin Area authentication. WHMCS admins don't need to do anything to benefit from this low-level change in the product.

If you're performing a new installation of WHMCS 5.3.9 (or beyond), the system will always hash your admin passwords with the latest cryptographically-secure mechanism available.

What You Need To Know

This security refinement occurs at a low level and, typically, you won't see any evidence of it in a standard WHMCS installation.

Only third-party integration developers that read and write admin authentication details directly from the database will notice this change. The specifics of the code will determine the complexity of change to make the integration functional again.

The system only updates password hashes on successful login, when the application has the raw password and is able to establish a new hash. Because the system stores admin passwords as one-way hashes, there is no way to perform a batch operation.

Public Documentation for Developers

Demonstration Only
The example below shows the minimum amount of code, as a demonstration of the relevant class and methods only. For a more thorough example, see Admin First Factor Verification Demo.

<?php </br> </br>use WHMCS\Auth; </br> </br>$authAdmin = new Auth; </br> </br>if ($authAdmin->getInfobyUsername($username) && $authAdmin->comparePassword($password)) { </br> $isValid = true; </br>} else { </br> $isValid = false; </br>}

About this example
The above code sample is compatible with WHMCS Version 6.0 and later

Hash Schema

WHMCS 5.3.9 introduces application-level support and the Bcrypt and SHA256-HMAC hash algorithms using cryptographically secure hashing routines.

If the PHP version of the web server is 5.3.7 or greater, then the system uses Bcrypt. Otherwise, if the web server is using a version of PHP that is less than 5.3.7, the system will use SHA256-HMAC.