WHMCS password sync.

Nexxterra.com

Nexxterra.com

Verified User
Joined
Apr 22, 2006
Messages
208
Location
Miami Beach
It would be great if when an account was created using Whmcs, the user can choose a password that carries through to DA as well.
I always have to go in and do this for my clients because there are so many places they need to sign in at!
BTW... I have also posted thin at WHMCS forum...
 
Clients can already reset their password for DA using whmcs.

And the password for whmcs should be different than DirectAdmin anyway for security.
 
Last edited:
The word SYNC was used for a reason...

The word SYNC was used for a reason, as the ability to change the DA password was not in question., as for security, lets not get silly, why not have the sql password different, and the ftp another, the email, the backup... etcetc...
Do you really think for one minute the user, when changing the DA password would choose a completely random impossible to remember one, or perhaps use the same one they chose to get into the WHMCS panel....
The ability to SYNC will eliminate hours of un-needed customer agrivation and support requests.
After all, they are both encrypying the password now anyway
 
as for security, lets not get silly
Click to expand...

I will wait for tillo our local security expert to comment on whether or not different passwords for different services is silly or not.

But what you are asking for is a WHMCS issue not a DA issue unless you want it so when the user changes his password in DA to carry through to WHMCS. But that is not what you asked for.

I do not foresee DA building anything to interface with all the different billing systems out there. If they do it for WHMCS then they would have to do it for everyone. But that is up to them.

I thought you had missed the fact that the client can reset their DA password themselves. Otherwise why would you have to do it for your clients? They must be missing it too.
 
floyd said:
I will wait for tillo our local security expert to comment on whether or not different passwords for different services is silly or not.
Click to expand...
When I read that sentence from the original poster I laughed out loud, then I understood what he meant: of course from a security point of view it is a possibility you would definitely like to have, but he suggested a synchronization function would be nice for those that don't want that.

Well, in my opinion we should do the exact inverse: the same password should be denied for any other service, it should be forced to be changed often (with multiple notices and following failure) with no permission to set any previous password (for at least a few years) and it should follow at least the basics of "good" passwords (8+ chars and not just lower case alphanumeric).

The fact that you have lazy customers is not a good reason to make them worst: a good formation is a very important section of security.
 
You are all so wise....

I love when people state things like facts.... even when their knowledge is limited.
First, Da and WHMCS work together using an API, which I know for a fact they have cooperated on from time to time. With out this type of cooperation DA and WHMCS would not be where they are today.
As far as this needing to be addressed by WHMCS, re read my previous post, I attempted to avoid your useless input.
Further more, This thread is for what I want, MY suggestion, If you do not what something who gives a F%$#, do not enable it or use it.
I think DA should eliminate the Reseller portion of the software as MY company does not offer reseller packages, I find them to be a stupid and fraudulant waste, they will just be advertised by resellers as "Unlimited"
I am sure that seing as the entire internet follows MY needs only I will also request that other features and maybe some TLDs be removed from service.
After all, This will serve to ensure that because I personally do not need something I do not have to keep wasting my time telling everyone how stupid their ideas are and how useless a feature may be for me!!!
 
Listening to your clients

My suggestions are based on the interactions I have with MY clients, any features or items you want to suggest, should be based on giving your customers the best experience.
An all in one system addresses this issue, however I chose to go with multiple modules and all the intergration that goes with them...
Evolution with complimenting software and the end users needs has to be on going! 1 product changes... this product needs to evolve too.
This is my last post for this thread as I have better things to do than argue what is good FOR you when I can only determine that for myself.
 
I love when people state things like facts.... even when their knowledge is limited.
First, Da and WHMCS work together using an API
Click to expand...

Apparently you are the expert on limited knowledge.

I have both DA and WHMCS and use both of their API's extensively. And I am a programmer. I do have the knowledge of which I speak.

WHMCS does use the DA API to create, terminate, suspend accounts and much more. DA has never made use of the WHMCS API. There is not one instance of DA sending anything to WHMCS. There is no place to configure the url, username, and password of the WHMCS server within DA.

This thread is for what I want, MY suggestion
Click to expand...

True. And we told you why it was a bad idea. The reply feature of this part of the forum is there for a reason. Its so that others can either support your request or suggest why it is not a good idea. Its a group effort. Before other people start supporting a feature like this we want them to know the grave dangers of using it.

Tillo certainly has more knowledge of security than you and I put together. If you would like to dispute that then state your credentials. Otherwise you would be wise to listen to him and maybe rethink your request.

I would explain more about why its a bad idea but your mind is already made up. Its a shame that arrogance is going to lead to your getting hacked very bad one day or at least your clients getting hacked. As the host you are supposed to look out for your clients and prevent from doing things that are unwise. Easy to guess passwords are unwise and same passwords on the control panel and billing system is unwise.


based on giving your customers the best experience
Click to expand...

And the safest. If they get hacked or there account in WHMCS is compromised I doubt they will think they had a good experience.
 
Nexxterra.com:

Hopefully your clients all access WHMCS through a secure https connection, since it includes information which can be used in identity theft; perhaps even to enter credit card information.

Hopefully your clients all access your DirectAdmin control panel through a secure https connection, because anyone else capturing the password can use it to delete their entire site, email, etc.

Hopefully your clients never log in through any insecure email connection to their main username account, as doing so exposes the password you've given them for their WHMCS and DirectAdmin logins.

It's okay if you don't want to respect Martino, though he's certainly the gent I respect when I need a security expert.

And you're absolutely right, that's simply a request.

I sure hope it doesn't get implemented; I'd hate to see DirectAdmin implementing security threats.

But that's just my opinion.

Jeff
 
You are very kind guys, thanks. Of course that is my personal and professional opinion, if John is going to prefer adding this feature to the API (with a big red warning for newbies :D) in order to make everyone happy, I wouldn't stop using this amazing software anyway ;)
 
Hello,

I'd like some clarification on this request.

If WHMCS is creating the DA user, then it would up to WHMCS to specify whatever password it wants... so that wouldn't be a request for DA.

If you're referring to having a tool that sets all DA passwords to be the same (DA login, email, ftp, mysql).. DA already does that when you change the password of your DA client. When the DA User changes his own password using the password icon in DA, he is presented with checkboxes for each of those services (all checked by default) asking which of them (all or some) they want to set to this new password. So the choice is already there within DA and the DA API.

Hence I'm not clear on exactly what "feature" you're asking to have us implement.

John
 
Exactly why I say its a whmcs thing. No reason whmcs cant update the da pass when u change pass in whmcs.
 
DirectAdmin Support said:
If you're referring to having a tool that sets all DA passwords to be the same (DA login, email, ftp, mysql).. DA already does that when you change the password of your DA client.
Click to expand...
This has caused us problems twice in the last week; I hope you'll consider a change.

The first problem was with a client who has listed as his contact email address in DirectAdmin a forward to his main account email address on our server. We changed his password using the random option to "resend welcome email" and of course he never got it.

The second was more serious: the same random option also changed his mysql password; it took us a long time to find the password in the client's configuration files for his software and fix it for him; it's not always called "password".

I doubt the email login problem is easily fixable; we don't always know when a client has used a forward or catchall to his username.

But I think it important that we do NOT change the mysql password when clicking to send a random new password for a user.

In fact we're no longer offering this option to our clients until this is resolved; in the case of this client, his entire site was down one whole business day.

Please consider a change.

Thanks.

Jeff
 
Hello,

Regarding contact emails on the same server, it's never advised to use a contact email on the same box, because if the box goes down, or say his email accounts aren't working, there isn't any way to contact him. I understand some people will do this anyway, can't really get around that, which is why we have the "Creator Duplicate" emails that get sent out as well, so you also get a copy and can forward it to him if he doesn't get it.

Also, if you go to the MySQL Management page, click a database, you'll notice that nowhere on that page is the system account listed. This is because it's a very bad idea to use it in your scripts, mainly for security reasons. Users are not supposd to ever use it in their scripts. The whole point of being able to create extra mysql users, and why an extra mysql user is created when you create a database, is so that you don't have to use the system account in your scripts. Storing system account passwords in a word-readable php file is a very very bad idea. This will help with that, but I urge everyone to not use system account password for their database scripts, use a different one, that's why they're there, and why the system account is hidden. System account mysql really should only be used for things like phpmyadmin, in my opinion.

Regarding to the change, would it work if we were to provide the checkboxes like at the User Level.. but for Reseller/Admin Level password resets? This would allow you to select which bits you want to reset.

John
 
I think what you're saying is that my user shouldn't have used that account to create a mysql database. I wonder how he even did it, then.

Personally I'd like to be able to choose what I reset.

Jeff
 
There isn't anything stopping him from using it. It's there and avaiable, he would have just guess/assumed that it works, which it does.

I can add the checkboxes for the next release.

John
 
Sort of my point...

WHMCS uses the api to set up an account in DA, In the WHMCS panel for the users account this password clearly appears in plain text, but this randomly generated password is DIFFERENT than the one that is chosen by the user when they sign up for an account.
Now before even getting online, They have 2 passwords to remember.
this may very well be something that needs to be started from WHMCS, That is why it is posted there.
The point is that passwords lost, forgotten, etc are one of the things that keep us the busiest, sending passwords, resetting them etc are not secure options, having the user able to choose and manage their own passwords especially on creation of the account is labour saving!
 
If you do not like the way WHMCS does this then don't use the signup process they provide. I also don't like the way WHMCS picks the DA account password and username. I use the api for both WHMCS and DA and I do set the passwords to be the same initially. But I allow the user to change one or the other but do not force them to keep the passwords in sync.

The user clearly has the ability to pick whatever password he wants after the account is set up in WHMCS. All he has to do is login to WHMCS and change the DA password. The process for doing this should be included in your email to them.

However if I wanted to make the user keep his passwords in sync I suppose I could take some time and write code to do that. If that is what you want then you should do it. Its not hard when you have direct access to the WHMCS database and the DA server. Its not a big deal.

I control DA and WHMCS. They do not control me.
 
You must log in or register to reply here.
Back
Top