Hide password File ?

Come here to discuss FileZilla and FTP in general

Moderator: Project members

Post Reply
Message
Author
zeekie
500 Command not understood
Posts: 1
Joined: 2012-02-16 14:20
First name: Jeff
Last name: Mack

Hide password File ?

#1 Post by zeekie » 2012-02-16 14:37

Hey guys,
SO I have been using Filezilla for a long time. BUT I also had my websites hacked a couple times, and after some vigorous work , I found out that my computer was infected and the virus was able to get my Filezilla password file. So My question sis this, is there a way to either hide or encrypt the Filezilla password file ?

Thanks
<Signature removed due to violation of forum rules (no promotion/advertising)>

User avatar
boco
Contributor
Posts: 24118
Joined: 2006-05-01 03:28
Location: Germany

Re: Hide password File ?

#2 Post by boco » 2012-02-16 14:55

Encrypt your user home directory.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

User avatar
botg
Site Admin
Posts: 31510
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Hide password File ?

#3 Post by botg » 2012-02-17 07:29

You can disable saving of passwords in the settings dialog of FileZilla.

tateu
450 Internal Error
Posts: 38
Joined: 2004-11-13 01:19

Re: Hide password File ?

#4 Post by tateu » 2012-03-02 06:00

boco wrote:Encrypt your user home directory.
And how exactly does that help? My understanding of how an encrypted home directory works (atleast it does with something like TrueCrypt) is that the encrypted volume is mounted while the computer is on and the user is logged in. This means your sitemanager.xml file is decrypted on the fly for any application that requests it and so no protection is provided. The encrypted home directory only helps when the volume is unmounted.

Thankfully, the project is open source and I have been able to modify it to suit my own needs.

User avatar
boco
Contributor
Posts: 24118
Joined: 2006-05-01 03:28
Location: Germany

Re: Hide password File ?

#5 Post by boco » 2012-03-02 22:06

My understanding of how an encrypted home directory works (atleast it does with something like TrueCrypt) is that the encrypted volume is mounted while the computer is on and the user is logged in.
Yes, exactly. You are expected to log off or lock when you walk away.

Encrypting the home directory doesn't work against malware running in your user context. But neither does obfuscation.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

tateu
450 Internal Error
Posts: 38
Joined: 2004-11-13 01:19

Re: Hide password File ?

#6 Post by tateu » 2012-03-02 22:50

boco wrote:Encrypting the home directory doesn't work against malware running in your user context. But neither does obfuscation.
Locking the front door to my house doesn't protect me against the competent thief who knows how to pick the lock but that doesn't mean I am going to start leaving my door unlocked so that anyone can get in. Same thing applies here. Just because someone can write specialized malware that knows to wait for me to enter my master password so it can read my passwords from RAM, doesn't mean that I want to make it easy for them by leaving them in a plaintext file on my hard drive.

User avatar
botg
Site Admin
Posts: 31510
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Hide password File ?

#7 Post by botg » 2012-03-03 08:56

You're using the wrong analogy.

Correct one: If the thief is already in your house, locking the front door does nothing.

tateu
450 Internal Error
Posts: 38
Joined: 2004-11-13 01:19

Re: Hide password File ?

#8 Post by tateu » 2012-03-03 18:27

I figured you would come back with that...

Ok, so how about storing my valuables in a locked safe in my house instead of an unlocked safe?

User avatar
botg
Site Admin
Posts: 31510
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Hide password File ?

#9 Post by botg » 2012-03-03 20:20

Same thing, is the thief is already in your safe...

If there's malware already on your computer, you've lost already. Your system has been compromised at that point.

However if your system is secure, you can use nuclear missile launch codes as desktop background.

wpompen
500 Command not understood
Posts: 5
Joined: 2008-08-27 08:09
First name: William
Last name: P

Re: Hide password File ?

#10 Post by wpompen » 2012-03-27 08:29

Has anyone had experience with this one? I have... I'm switching!

http://www.couchcms.com/forum/viewtopic.php?f=4&t=6923

User avatar
boco
Contributor
Posts: 24118
Joined: 2006-05-01 03:28
Location: Germany

Re: Hide password File ?

#11 Post by boco » 2012-03-27 08:37

That's your good right. If you think security through obscurity is good enough for you, then bye.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

wpompen
500 Command not understood
Posts: 5
Joined: 2008-08-27 08:09
First name: William
Last name: P

Re: Hide password File ?

#12 Post by wpompen » 2012-04-09 13:39

Let's not talk about "rights" ;-)

Don't you agree that keeping this kind of information in a plain text file is a bit too easy?

Even with a descent AV there's no guarantee to stay clean, so what would you suggest?
Not saving credentials?

:-)

ps, I chose to switch but I didn't like that at all since I liked FZ a lot ... !!!
That's why I was really surprised to discover this, I'd have guessed that our data was protected, anyway, hope to use FZ again soon...

User avatar
boco
Contributor
Posts: 24118
Joined: 2006-05-01 03:28
Location: Germany

Re: Hide password File ?

#13 Post by boco » 2012-04-09 22:47

Don't you agree that keeping this kind of information in a plain text file is a bit too easy?
Define ''easy''. Any attempt to obfuscate password information will be countered by malware writers without any problems. Since FileZilla is Open Source, it is not even possible to keep anything secret in the code (the kind of ''hiding game'' some commercial closed source apps play).
Even with a descent AV there's no guarantee to stay clean, so what would you suggest?
A decent AV (if such a thing even exists) is not an excuse to feel safe. Many people rely on AVs, firewalls and similar stuff, and then wonder why they get burned. The biggest security problem is in front of the screen!
Not saving credentials?
Yes. I run kiosk mode 1 for years now. Maybe you can use a dedicated software like KeePass (Open Source, that one has strong encryption) if that gives you a warm and fuzzy feeling. KeePass can even auto-enter the information into the FileZilla dialogs IIRC.
I'd have guessed that our data was protected, anyway, hope to use FZ again soon...
Only you can protect your data. No software can guarantee data safety, no matter what they tell you.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

C__C

Re: Hide password File ?

#14 Post by C__C » 2012-04-17 14:22

Hi guys,

before I start... I'm new to this forum. FZ is (still) my favourite FTP client. I'm a professional software developer (mainly C/C++) and consider myself as an "experienced" user :wink:

Let me tell you what I'm thinking about this issue:
Only you can protect your data. No software can guarantee data safety, no matter what they tell you.
Agree. It is the user's own responsibility to care about security of his data.
However if your system is secure, you can use nuclear missile launch codes as desktop background.
Agree also in that point. On a secure system the user's data are protected from other users or "evil software".

Some thoughts about this:

On Linux system, I see no need at all for password encryption. Via file and directory permissions it is easy to protect data from other users' courious looks :wink:
And Linux users usually "know what they are doing".
Recently I've read a tutorial about setting up a mail server on Linux. Even in some server configuration files, database passwords are stored in plain text. But where is the problem if only root can access them :)

However, let's talk about Windows:

My experience is that most Windows users don't really know what they are doing (although they often think so...).
I agree in that point, that if my PC gets infected with malware, I'm already in big trouble. So, MY first reaction would be to reinstall the OS and change my internet passwords. But several times I've seen PCs which were infected by malware whose owners didn't even KNOW about that. And let's be honest: the risk to get infected is still a lot higher for Windows systems than for Linux systems.

Unfortunately there seems to be a Windows malware which reads FZ's FTP credentials which are stored in Plain Text and uses them to infect web sites to spread around the internet. So you see It is really happening!!! Of course, password encryption (via Windows CryptoAPI, e.g.) without an additional user-defined key or entropy doesn't really solve that problem, because it's possible to write malware capable of decrypting the credentials. But this is still harder than just writing a little piece of software that parses the XML file. I understand that password encryption requiring user-defined information is not desirable for some users who expect it to work out of the box, however this would probably offer the security that some people want. That's a sort of dilemma :|

So what can be done? My suggestions:
1. "Save password" should be turned off by default.
2. If the user decides to save his passwords, he must be given a hint (maybe with a big red blinking exclamation mark :wink: ) that protection and security is his own responsibility (no matter if encryption is done or not).
3. Password encryption should be provided as an option.

This doesn't solve any of Windows's security flaws and it doesn't prevent an "average user's" PC to get infected by malware from time to time. This even happens to experienced users... But it might help to LIMIT THE DAMAGE caused by malware. This would be worth it. Think about this, dear developers. It is the least thing you can do to help the users.

But just saying things like "If your system gets infected, it is your own fault, don't bother me with that..." is, in my opinion, arrogant, ignorant and silly, considering of which "type" most Windows users are... with an attitude like this, you are helping the "bad guys"!

Dear developer(s), I'm not going to keep bothering you with that issue. But I'm seriously thinking about contributing some code concerning password encryption (or maybe I'll build my own FZ version. It is open source, so why not...).

Regards

User avatar
botg
Site Admin
Posts: 31510
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Hide password File ?

#15 Post by botg » 2012-08-02 06:36

What do you mean?

Post Reply