FileZilla Forums

Welcome to the official discussion forums for FileZilla
Donate to project
It is currently 2014-04-19 20:04

All times are UTC




Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 7 posts ] 
Author Message
 Post subject: Filezilla Password File
PostPosted: 2009-03-04 18:39 
Offline
500 Command not understood

Joined: 2009-03-04 18:26
Posts: 1
I have been using Filezilla as a SFTP client for about a year now. I just discovered two things about Filezilla that made me angry. Number 1, Filezilla stores previous sessions under the quick connect button. All someone has to do to connect to your files is go onto a computer that you used Filezilla on, and click on the arrow next to the quick connect button and click your username. This can be done from any user on the client system. Number 2, not only does filezilla save my password without asking if I would like it saved first, it stores the password as plain text in a file. Honestly, both of these items are security risks that should be taken out of the software. For now, how does one go about keeping filezilla from saving sessions and passwords altogether by default. I mean, I would like if it stored the public key of the server in order to prevent man-in-the-middle attacks but I do not want it storing my passwords. I should have to type my password every time in order to log in to a session.


Top
 Profile  
 
PostPosted: 2009-03-04 19:13 
Online
226 Transfer OK
User avatar

Joined: 2006-05-01 03:28
Posts: 19649
Location: Germany
Use the file fzdefaults.xml to switch Filezilla into kiosk mode. It will then refuse to store any passwords. A sample file called fzdefaults.xml.example (with instructions inside) is in the docs subdirectory.

The plaintext passwords won't be changed. Search the forums why obfuscation wouldn't work. The OS is responsible for restricting access to your Filezilla configurations.

_________________
### BEGIN SIGNATURE BLOCK ###
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
All support requests per PM will be ignored!
### END SIGNATURE BLOCK ###


Top
 Profile  
 
PostPosted: 2009-03-05 01:32 
Offline
500 Command not understood

Joined: 2009-03-04 23:16
Posts: 2
Kiosk mode seems like a good solution.

It shouldn't be necessary to jump through all kinds of hoops to even discover that kiosk mode exists. No software should ever store passwords silently, without asking. If it asks, that's a hint to the administrator that something has to be turned off. It'a a flaw in other software that they store passwords, but at least most of them signal you that they're doing it.

I agree that storing passwords in plaintext is a reasonable practice if you need to be be able to retrieve them. However, other than a password locker sort of program, I'm not convinced that any software needs to be able to retrieve passwords. Your huge gaping security hole is not storing passwords in plaintext. It is saving them at all.

I've converted our installations to kiosk mode. My users are used to Filezilla, so I'm not getting rid of it right away. However, I'm now actively looking for an alternative. I've always thought that Filezilla was an excellent program. I'm not so convinced now.


Top
 Profile  
 
PostPosted: 2010-02-10 16:05 
Offline
500 Command not understood

Joined: 2008-03-15 16:42
Posts: 2
Well, as unsecure as this feature is, it just *saved* me from a forgotten password! (And i only use Filezilla on a laptop I maintain physical control over)

Sean


Top
 Profile  
 
PostPosted: 2010-03-18 11:19 
Offline
500 Command not understood

Joined: 2009-09-07 11:22
Posts: 5
Still wondering why in 2010 it is so hard to implement a Master Password policy, just as Firefox or Thunderbird do. Encryption then cannot be broken unless you know the Master Password, which should NOT be stored anywhere.

Talking about this issue: the name "Filezilla" makes many users think that it is somehow related to the Mozilla project (Firefox, Thunderbird), thus letting users believe that all those applications follow the same coding practices and offer the same security. However it is not the case as Filezilla stores passwords in plain text. If there is no advancement on this subject, some users may get in touch with the Mozilla foundation and ask them what they think about it.

Cheers,

maathieu


Top
 Profile  
 
PostPosted: 2010-03-18 19:30 
Offline
Site Admin
User avatar

Joined: 2004-02-23 20:49
Posts: 22535
Open Explorer, go to %APPDATA%. Right-click the FileZilla item and chose properties. In there, enable encryption. Your Windows password is now your master password. You enter it when you log into Windows.


Top
 Profile  
 
PostPosted: 2010-03-18 20:51 
Online
226 Transfer OK
User avatar

Joined: 2006-05-01 03:28
Posts: 19649
Location: Germany
Just a small addendum concerning Windows:

  • Windows XP Home
  • Windows Vista Starter, Home Basic, Home Premium
  • Windows 7 Starter, Home Basic, Home Premium

The operating systems above do NOT support the procedure botg mentioned. If you have any of these OS', you need to use 3rd party solutions (Truecrypt). Thank Microsoft for providing software with crippled security.

_________________
### BEGIN SIGNATURE BLOCK ###
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
All support requests per PM will be ignored!
### END SIGNATURE BLOCK ###


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 7 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Dedicated server provided by Artmotion.
Forum sponsored by Everyware.ch.
Powered by phpBB® Forum Software © phpBB Group