Generate stronger random passwords by default for new services

Passwords should be generated / modified according to value entered in Setup > Security > Required Password Strength .

It's contradictory to generate a weak password during signin process then asking the client to enter a stronger one.

Besides, some policies require stronger passwords when creating control panel and related services initial accounts.

Please, give more priority to this feature.

This is extremely important. This issue is happening with Plesk as well, where setting strong and stronger password option within Plesk denies WHMCS when creating a customer account because WHMCS isn't creating strong enough passwords with different characters apart from uppercase letters

Please fix :)

When setting the "Password Strength" in Plesk 12.5 to "Strong" - the whmcs autogenerated passwords dont cut it. Therefore, no accounts can be created.

Making this function in WHMCS either configurable or just create passwords with special chars would also fix the Plesk Situation.

Correct ! We are also facing the same problem, once we setup the password strength to "Strong" in plesk the setup module starts generating error.. WHMCS please enable strong password option, in todays world medium passwords are no longer that valid.

+1 from me

I'm shocked this has not yet been implemented!

Running Plesk with Medium security is prone to getting clients hacked. This needs to change!

Yeah.. the fact that this simple implementation isn't integrated is completely unacceptable

Got sick of this issue so I did something about it (and another that was preventing automation in certain cases): https://github.com/jas8522/WHMCS-Plesk-Fixes-Module

Good job @Websavers.

In fact I noticed that bug with the ampersand in company names... but I figured they must fix it for sure in the next release, and then forgot about it.

There is another great annoyance I have with the current Plesk implementation in WHMCS: when a client creates a second subscription, it is added to the client (which is perfectly fine with me) but the login information cannot be used to login with Plesk, he needs to use the login that was first created.

Now, I think it would be a good thing if when creating the subscription, WHMCS would just add an Admin User to the client with the same credentials, with access limited to that subscription.

Also, I don't like that the client username is the same as the username of the first subscription. It should be generated out of the company name or client name.

What do you think, is such a modification possible via hooks? Probably not, I fear...

Sebastian,

I believe WHMCS devs already addressed this somewhere around the 6.x release. Current behaviour is to store a WHMCS client ID in the Plesk DB (via PleskAPI) when the client is first created on a server. Then, rather than logging in with username/password, WHMCS will create an session for the client via API so that when you click the button to open Plesk (as long as it's the button generated by the WHMCS Plesk module) it resumes the existing session. This means that no matter which hosting plan the client is viewing, they'll still successfully log in.

---

Regarding your second query about hosting plan usernames, I agree, though mostly it doesn't matter in our set-up since clients always use the WHMCS button to login to Plesk. That said, there is a hook to adjust the username that actually properly filters the data (unlike the other hooks): http://docs.whmcs.com/Hooks:OverrideModuleUsernameGeneration

What would you prefer for a username? Perhaps first initial and last name? But that might not be unique on the server... and could be too long.

Hi Websavers,

ok so I suppose you don't even mail the access data out via email and just let the clients login from within WHMCS? Cause I found no way in the email template to be able to tell the client that they need to use the other login for Plesk.

But then, how do you handle the case where a user changes the subscription password from within Plesk?

As for the username, by looking at the hook I guess what I have in mind is not possible. Changing the username for the new Plesk customer would also affect the username of the subscription. And adding a second subscription would cause the hook to provide the same username and fail. So I guess the only way would be a custom Plesk module, which at some point I might even consider doing myself, as I have done with Virtulamin already.

We don't allow our users to use weak passwords, but WHMCS insists on creating weak passwords with no options to change it. In particular, when a customer orders a CPanel based hosting account, WHMCS assigns a weak password. The same goes for any other module created account that involves WHMCS generating a password. If symbols are too tough to implement, then at least allow us to force longer passwords to be generated.

We require strong passwords for our users. Spammers and hackers have recently stepped up efforts to break weak passwords. In particular, ordering and creating CPanel accounts via WHMCS assigns weak passwords. Further, modules that request WHMCS generate a random password get weak passwords. If symbols are too difficult to implement, then at least let us specify a minimum number of characters for the randomly generated password. 8 characters (the amount always used by WHMCS) was okay in 1996. 20 years later, standards have advanced and WHMCS hasn't.

Automation for Plesk is broken also password change fails. It urgent to have more control on The passwords whmcs generates or it can be just linked to the password requirements already implemented for users registering to whmcs.

Our control panel DirectAdmin already is doing this to enforce more strong passwords. But with automation after payments users are not generated because the passwords generated by WHMCS do not meet the minimal requirements for a strong password required by the control panel.

We would like to see a option (like for instance "Enforce difficult password generation") in WHMCS that provides newly generated hosting account to have more difficult password with special characters.

This is causing errors in the automation, since each contracted plan has to be activated manually. It is very simple to modify your password generator code!

We require stronger passwords than what WHMCS generates. I'm not going to argue whether the ones generated are secure enough or not, but we have set security policy in Plesk that requires more than what WHMCS currently generates which causes service provisioning issues without manual intervention. This to me is a product compatibility issue that must be addressed. We should be able to set Plesk to its maximum password security setting, tell WHMCS what level to enforce, and have it generate passwords that meet the requirements. Reducing the security configuration of any "supported" product so that it can be used with WHMCS is simply unacceptable.

I do agree 1000% this is absolutely unacceptable after 2 years. C'mon guys, seriously? Whole point of whmcs is for automation. Nothing should be manual except supporting customers. I did find a work around module that fixes this, but it shouldnt be necessary. Apparently it seems support doesnt even bother reading nor fixing these small but big issues. Also be VERY mindful that weak password causes a server to be NON PCI compliant.

In Settings there is a password strength setting that sets how difficult passwords need to be for clients. It's mystifying that this doesn't exist for the accounts themselves. Damn, Cpanel must fight off so many brute force attacks with their weak password security policy. Get real WHMCS.

This would be so effortless and quick to implement, it baffles me the feature is not there yet.