Hi guys,
before I start... I'm new to this forum. FZ is (still) my favourite FTP client. I'm a professional software developer (mainly C/C++) and consider myself as an "experienced" user
Let me tell you what I'm thinking about this issue:
Only you can protect your data. No software can guarantee data safety, no matter what they tell you.
Agree. It is the user's own responsibility to care about security of his data.
However if your system is secure, you can use nuclear missile launch codes as desktop background.
Agree also in that point. On a secure system the user's data are protected from other users or "evil software".
Some thoughts about this:
On Linux system, I see no need at all for password encryption. Via file and directory permissions it is easy to protect data from other users' courious looks
And Linux users usually "know what they are doing".
Recently I've read a tutorial about setting up a mail server on Linux. Even in some server configuration files, database passwords are stored in plain text. But where is the problem if only root can access them
However, let's talk about Windows:
My experience is that most Windows users don't really know what they are doing (although they often think so...).
I agree in that point, that if my PC gets infected with malware, I'm already in big trouble. So,
MY first reaction would be to reinstall the OS and change my internet passwords. But several times I've seen PCs which were infected by malware whose owners didn't even
KNOW about that. And let's be honest: the risk to get infected is still a lot higher for Windows systems than for Linux systems.
Unfortunately there seems to be a Windows malware which reads FZ's FTP credentials which are stored in Plain Text and uses them to infect web sites to spread around the internet. So you see It is really happening!!! Of course, password encryption (via Windows CryptoAPI, e.g.) without an additional user-defined key or entropy doesn't really solve that problem, because it's possible to write malware capable of decrypting the credentials. But this is still harder than just writing a little piece of software that parses the XML file. I understand that password encryption requiring user-defined information is not desirable for some users who expect it to work out of the box, however this would probably offer the security that some people want. That's a sort of dilemma
So what can be done? My suggestions:
1. "Save password" should be turned off by default.
2. If the user decides to save his passwords, he must be given a hint (maybe with a big red blinking exclamation mark
) that protection and security is his own responsibility (no matter if encryption is done or not).
3. Password encryption should be provided as an option.
This doesn't solve any of Windows's security flaws and it doesn't prevent an "average user's" PC to get infected by malware from time to time. This even happens to experienced users... But it might help to
LIMIT THE DAMAGE caused by malware. This would be worth it. Think about this, dear developers. It is the least thing you can do to help the users.
But just saying things like "If your system gets infected, it is your own fault, don't bother me with that..." is, in my opinion, arrogant, ignorant and silly, considering of which "type" most Windows users are... with an attitude like this, you are helping the "bad guys"!
Dear developer(s), I'm not going to keep bothering you with that issue. But I'm seriously thinking about contributing some code concerning password encryption (or maybe I'll build my own FZ version. It is open source, so why not...).
Regards