Just learned that FileZilla stores passwords in clear text

Come here to discuss FileZilla and FTP in general

Moderator: Project members

Message
Author
ftanner
503 Bad sequence of commands
Posts: 20
Joined: 2013-08-07 16:17
First name: Frank
Last name: Tanner

Re: Just learned that FileZilla stores passwords in clear te

#31 Post by ftanner » 2013-08-15 19:17

njpsolid wrote:Its safe using filleZillla. That is why you have preferences. You can clear quickly clear your user cpanel details using the Quickconnect. I dont see why this is an issue.
This is an issue because it goes against every basic security principle out there.

JohnBentley
500 Command not understood
Posts: 2
Joined: 2021-07-08 14:19
First name: John
Last name: Bentley

Re: Just learned that FileZilla stores passwords in clear text

#32 Post by JohnBentley » 2021-07-08 15:17

Tim Kosse, it seems that over time you've come to see the wisdom in providing the ability to encrypt site specific passwords, with your Master Password feature. As mentioned, for example, in Site Manager password security.

With Master password enabled (Edit > Settings > Interface > Passwords >) I see (on windows for example) in C:\Users\John\AppData\Roaming\FileZilla\sitemanager.xml values like ...

Code: Select all

<Pass encoding="crypt" pubkey="[long length of radnom characters]">[long length of radnom characters, presumably the private key]</Pass>
Presumably an attacker getting access to sitemanager.xml couldn't use the public key and private key to decode an FTP site's password, without also being in possession of the Master Password. Is that right?

Locked