The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Securely roll out email accounts/pw to remote users

Discussion in 'cPanel Developers' started by awgerber, Jul 16, 2009.

  1. awgerber

    awgerber Registered

    Jul 16, 2009
    Likes Received:
    Trophy Points:
    Hi all,

    I consider to switch to a provider who is using cPanel. On our old system I programmed in php my own email account management system.

    The unique thing about it is that people we create an email account with a roll out mechanism. The system sends out an email to the client's old email account with a link to obtain his new email password. This link leads then to a encrypted page. If somebody intercepts the email on its way and clicks on that link a second click will automatically disable the account...

    Is there a function in cPanel that is doing a secure roll out of a password to a client already? Or is there some "lost password" function that is secure?

    On the other hand I downloaded already the and had a quick glance over it. It seems powerful... but I did not see how to get the users password and how to disable the account...

    Could you please give me a hint?

  2. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Nov 29, 2006
    Likes Received:
    Trophy Points:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    cPanel users are standard Unix users. As such, their passwords are hashed (not encrypted). To put it simply, hashed passwords are not retrievable, the most you can do is compare to see if a password is correct or not.

    You can use the XML API to change a user's password, at which time you can probably have your script store the password. Just be sure to do this very carefully as not to create a security vulnerability on the server.

    As for "disabling" a cPanel account, you can suspend an account - but that will also display a suspended page on their website when anyone visits it while the account is suspended.

    If you need clarification on how to suspend an account or change an account's password via the XML API, let me know.

Share This Page