Filezilla Password File

Come here to discuss FileZilla and FTP in general

Moderator: Project members

Locked
Message
Author
halfbrazilian
500 Command not understood
Posts: 1
Joined: 2009-03-04 18:26

Filezilla Password File

#1 Post by halfbrazilian » 2009-03-04 18:39

I have been using Filezilla as a SFTP client for about a year now. I just discovered two things about Filezilla that made me angry. Number 1, Filezilla stores previous sessions under the quick connect button. All someone has to do to connect to your files is go onto a computer that you used Filezilla on, and click on the arrow next to the quick connect button and click your username. This can be done from any user on the client system. Number 2, not only does filezilla save my password without asking if I would like it saved first, it stores the password as plain text in a file. Honestly, both of these items are security risks that should be taken out of the software. For now, how does one go about keeping filezilla from saving sessions and passwords altogether by default. I mean, I would like if it stored the public key of the server in order to prevent man-in-the-middle attacks but I do not want it storing my passwords. I should have to type my password every time in order to log in to a session.

User avatar
boco
Contributor
Posts: 24156
Joined: 2006-05-01 03:28
Location: Germany

Re: Filezilla Password File

#2 Post by boco » 2009-03-04 19:13

Use the file fzdefaults.xml to switch Filezilla into kiosk mode. It will then refuse to store any passwords. A sample file called fzdefaults.xml.example (with instructions inside) is in the docs subdirectory.

The plaintext passwords won't be changed. Search the forums why obfuscation wouldn't work. The OS is responsible for restricting access to your Filezilla configurations.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

onetimeonly
500 Command not understood
Posts: 2
Joined: 2009-03-04 23:16
First name: Not
Last name: Important

Re: Filezilla Password File

#3 Post by onetimeonly » 2009-03-05 01:32

Kiosk mode seems like a good solution.

It shouldn't be necessary to jump through all kinds of hoops to even discover that kiosk mode exists. No software should ever store passwords silently, without asking. If it asks, that's a hint to the administrator that something has to be turned off. It'a a flaw in other software that they store passwords, but at least most of them signal you that they're doing it.

I agree that storing passwords in plaintext is a reasonable practice if you need to be be able to retrieve them. However, other than a password locker sort of program, I'm not convinced that any software needs to be able to retrieve passwords. Your huge gaping security hole is not storing passwords in plaintext. It is saving them at all.

I've converted our installations to kiosk mode. My users are used to Filezilla, so I'm not getting rid of it right away. However, I'm now actively looking for an alternative. I've always thought that Filezilla was an excellent program. I'm not so convinced now.

sgoggins
500 Command not understood
Posts: 2
Joined: 2008-03-15 16:42
First name: Sean
Last name: Goggins

Re: Filezilla Password File

#4 Post by sgoggins » 2010-02-10 16:05

Well, as unsecure as this feature is, it just *saved* me from a forgotten password! (And i only use Filezilla on a laptop I maintain physical control over)

Sean

maathieu
500 Command not understood
Posts: 5
Joined: 2009-09-07 11:22
First name: maathieu
Last name: maathieu

Re: Filezilla Password File

#5 Post by maathieu » 2010-03-18 11:19

Still wondering why in 2010 it is so hard to implement a Master Password policy, just as Firefox or Thunderbird do. Encryption then cannot be broken unless you know the Master Password, which should NOT be stored anywhere.

Talking about this issue: the name "Filezilla" makes many users think that it is somehow related to the Mozilla project (Firefox, Thunderbird), thus letting users believe that all those applications follow the same coding practices and offer the same security. However it is not the case as Filezilla stores passwords in plain text. If there is no advancement on this subject, some users may get in touch with the Mozilla foundation and ask them what they think about it.

Cheers,

maathieu

User avatar
botg
Site Admin
Posts: 31605
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Filezilla Password File

#6 Post by botg » 2010-03-18 19:30

Open Explorer, go to %APPDATA%. Right-click the FileZilla item and chose properties. In there, enable encryption. Your Windows password is now your master password. You enter it when you log into Windows.

User avatar
boco
Contributor
Posts: 24156
Joined: 2006-05-01 03:28
Location: Germany

Re: Filezilla Password File

#7 Post by boco » 2010-03-18 20:51

Just a small addendum concerning Windows:
  • Windows XP Home
  • Windows Vista Starter, Home Basic, Home Premium
  • Windows 7 Starter, Home Basic, Home Premium
The operating systems above do NOT support the procedure botg mentioned. If you have any of these OS', you need to use 3rd party solutions (Truecrypt). Thank Microsoft for providing software with crippled security.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

Locked