How can we improve WHMCS?

Share, discuss and vote for what you would like to see added to WHMCS

  1. Home
  2. Ideas
  3. Clients
  4. Specify user password via admin

Specify user password via admin

  • Kyle Gordon shared this idea 4 years ago
  • Clients
  • 4 Comments


255 Votes
Login to Vote
Sometimes email is an issue and I have clients unable to recieve the password reset. They call and request I reset it on my end for them so they can login. They seem baffled when I tell them I am not only unable to see the current password (which is to be expected) but that I also can not change it manually.

In this scenario there is a catch 22 issues: Clients domain expired so their email and site go down. They try logging in to renew but can't remember the password (super common). They do the password reset but their email doesn't work. They call me for help getting into their account but I have no ability to do so.

The same goes for people who no longer have the original email used or the email used was an ex-employee. There are just too many issues that come up and we need more control to help resolve them.

7 Comments

Login to post a comment.

moon commented 2 months ago
This is a very useful feature
Tarik commented 12th August 23
i agree it is such a pain that this has been removed. such a regression of functionality
Arf commented 11th August 23
With respect your instructions, "If a user no-longer has access to their email or is experiencing delivery problems, then staff would assist them in changing the email address to one which is functional, and send the password reset there instead." are just as risky as being able to reset their password but requires more steps. Further, when we add a new client (Clients > Add New Client) we have to set the password. You're not consistent and no more secure. So why not give the feature back.
Websavers commented 25th September 24
Incorrect, It is not just a risky. In both cases staff must work with the customer to ensure that the person providing the info is legit and not an imposter. Yet the way it is now, staff never know the client's password. The way you want it done, staff will *know* the client's password, making in inherently less secure overall.

Please brush up on your understanding of security.
Official Response
WHMCS commented 24th January 21
Hi Kyle,
Admins can send password resets via the "Users" tab. Please review this guide for step-by-step: https://help.whmcs.com/m/v80/l/1301340-where-is-the-reset-send-password-option
If a user no-longer has access to their email or is experiencing delivery problems, then staff would assist them in changing the email address to one which is functional, and send the password reset there instead.

In v8.0 and above we introduced a significant update to the authentication and authorization system for accounts and users in WHMCS. Client Accounts no longer have passwords, authentication is now done via Users.

v8.0 and above intentionally does not expose or permit direct manipulations of User passwords via the UI or in emails. Instead an email-based invitation and reset process is used in line with current best-design and security practices. This paradigm is common to many modern SaaS systems.
Mahamodul Hasan Khan commented 25th June 23
Today I face 3 cases, customers can't receive an email, and customers ask to set a random password, but we can't set it because we u[grate v8 yesterday.

Please let me know how we can back this again.
Websavers commented 25th September 24
100% this is the right way to handle this:

If a user no-longer has access to their email or is experiencing delivery problems, then staff would assist them in changing the email address to one which is functional, and send the password reset there instead.

NOT allowing admins to see the client password by setting it. WHMCS has done the right thing here from a security perspective.