Old account passwords STILL WORK!

I have a client which is getting very frustrated, as his old passwords still work (as well as new).

I have spoken to the company responsible for my server license and ended up changing password from command line and that seemed to wipe out old passwords, but now hes changed the password to his own one the problem remains and all his old passwords still work.

This is a urgent security issue for the client as he gave access to someone to do something and is now unable to revoke it.

Any ideas as to why and how the hell this is happening?

 

Changing password..

He has changed password using WHMCS (which obv does changes via API module).

I have personally change his password via WHM using both the sub form on the list accounts and the dedicated account password change page.

They would enable the new passwords to work but the old passwords still work (currently he can use 3 passwords to login).

I spoke with support for where i get my server/cpanel from their solution was to change password from command line using /scripts/chpass they did this and i did this and it appeared to stop the old passwords working.

The client then changed the random gen password which i changed it to to his own... but apparently now the 3 passwords still work and allow login to the account.

 

I thought could be password override too but it isnt, I'm root (and root pass is random gen and full strength and i know the users passwords... so thats not it.

I have just logged in and out (and closed the browser between each try) with 3 different passwords on the account. No override notices shown so im fully confident this isn't a user side issue.

Is it even possible for one account to have many same level (eg, not override by reseller/root) passwords?

EDIT: Just submitted a ticket, Request id is: 454218

 

Not sure how that relates to the issue?

 

Right ok...

Was on support ticket all yesterday with cPanel... think got it fixed.

It appears that some how the password algo for the server was changed from Md5 to DES so some passwords saved as md5 (presumably those which havent been changed in a while/since algo change)

So I was instructed to change algo via command line and re-changed the users password so saved as md5.

It appears the problem was because DES only allows a set number of characters and anything extra is ignored so when my client changed his password to something he was just changing the last few chars meaning the first x letters were the same.

Now been corrected so hopefully wont have the issue again, was certainly a mind boggler. lol