WHMCS - client password hash generation

WHMCS Versions 6.3.0 and Newer

In version 6.3.0 WHMCS changed the method of which they use to hash passwords. Their release notes state that they are now using BCRYPT password hashing. It would appear that WHMCS is now using the password_hash() function provided with php. The following code can be used to generate a valid password to be stored in the DB.

$hash = password_hash($password, PASSWORD_BCRYPT);

WHMCS Versions 4.2.1 through 6.2.x

These versions of WHMCS create a client password hash using the md5() function along with a randomly generated salt. The salt is appended to the end of the stored password delimited by a colon. To generate a password using this method you must first generate a salt that is 5 characters in length. Once done, you will use the md5() function to create a hash using the salt and password. The following code can be used to generate a valid password to be stored in the DB

$salt = substr(md5(mt_rand()), -5);
$hash = md5($salt . $password) . ':' . $salt

This will create a hash looking something like this.

c2896ab1ced6a239398f4e90af8010da:e93h2

WHMCS Version Pre 4.2.1

Older versions of WHMCS use a encrypt/decryption method. If you are using this method you have to use either the WHMCS functions file so you can use the encrypt/decrypt function or use the API ( http://wiki.whmcs.com/API:Decrypt_Password )