Secure Password Storage (User Accounts / Admin Accounts)
- User Account Passwords are currently stored salted as MD5 hash in the Database (if enabled)
- Admin Account Passwords are currently only stored as unsalted MD5 hash in the Database
I think it is not a secret with tools like http://hashcat.net/oclhashcat/ to dehash MD5 - even without Rainbow Tables - in a realistic timely matter.
Instead PHP's own password hashing function should be used (which is currently bcrypt), let PHP do the random salt generation and use a cost of at least 14.
The Technical Analyst Lawrence seems to be defending himself against implementing such a simple security enhancement. A no brainer really to make WHMCS more secure.