Just learned that FileZilla stores passwords in clear text
Moderator: Project members
-
- 500 Command not understood
- Posts: 5
- Joined: 2012-07-31 08:26
- First name: Jim
- Last name: Westergren
Just learned that FileZilla stores passwords in clear text
After using FileZilla for years I have now realized that the program is very dangerous as it stores the server connections details + passwords as clear text in a simple XML file in the computer.
So if my laptop would be stolen or hacked, it would be possible to get access to precious servers. Unbelievable.
I have now switched to CuteFTP which encrypts the login credentials.
What is even worse:
After uninstalling FileZilla, the files with the passwords in clear text where not removed.
So if my laptop would be stolen or hacked, it would be possible to get access to precious servers. Unbelievable.
I have now switched to CuteFTP which encrypts the login credentials.
What is even worse:
After uninstalling FileZilla, the files with the passwords in clear text where not removed.
/ Jim Westergren
Re: Just learned that FileZilla stores passwords in clear te
Good luck with ''Security through obscurity''.
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
-
- 500 Command not understood
- Posts: 5
- Joined: 2012-07-31 08:26
- First name: Jim
- Last name: Westergren
Re: Just learned that FileZilla stores passwords in clear te
You see nothing wrong with this?
/ Jim Westergren
Re: Just learned that FileZilla stores passwords in clear te
You can disable saving of passwords in the settings dialog of FileZilla.
-
- 500 Command not understood
- Posts: 5
- Joined: 2012-07-31 08:26
- First name: Jim
- Last name: Westergren
Re: Just learned that FileZilla stores passwords in clear te
Ok, then that should be default in my opinion and in the setting to save passwords there should be a warning that it is saved in plain text.
/ Jim Westergren
Re: Just learned that FileZilla stores passwords in clear te
Nope, I don't save 'em. I agree that it shouldn't save passwords by default, though.Jim Westergren wrote:You see nothing wrong with this?
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
-
- 500 Command not understood
- Posts: 2
- Joined: 2012-08-10 11:57
- First name: Larry
- Last name: Barnett
Re: Just learned that FileZilla stores passwords in clear te
Woah I did not know that, thank you for letting us know - *rushes off and changes passwords!*
-
- 500 Command not understood
- Posts: 5
- Joined: 2012-07-31 08:26
- First name: Jim
- Last name: Westergren
Re: Just learned that FileZilla stores passwords in clear te
Any updates in this matter or nothing changed?
/ Jim Westergren
Re: Just learned that FileZilla stores passwords in clear te
You're being asked now when you use the QuickConnect feature for the first time.
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
Re: Just learned that FileZilla stores passwords in clear te
Not to add gasoline to the fire.
But if you are worried about passwords being stored in plain text on your system... why aren't you encrypting your hard drive?
or... do what I do.
encrypt a thumb drive and run your filezilla from your thumb drive using "portable apps" (which is especially effective if you are using it at work and you don't want admins digging through your stuff--- just remember to back up your drive often)
But if you are worried about passwords being stored in plain text on your system... why aren't you encrypting your hard drive?
or... do what I do.
encrypt a thumb drive and run your filezilla from your thumb drive using "portable apps" (which is especially effective if you are using it at work and you don't want admins digging through your stuff--- just remember to back up your drive often)
- audiopro
- 226 Transfer OK
- Posts: 295
- Joined: 2013-03-23 12:55
- First name: Keith
- Location: Morecambe, England
Re: Just learned that FileZilla stores passwords in clear te
If someone steals your computer - you will have far more to worry about than a few FTP passwords.
Morecambe - Where the sun goes at night
-
- 500 Command not understood
- Posts: 3
- Joined: 2013-06-03 21:05
- First name: tj
- Last name: apado
Re: Just learned that FileZilla stores passwords in clear te
is this pasword saving still vallid with the new version of fileZilla ?
I was searching in the settings tab only could not find any thing about password storing
I was searching in the settings tab only could not find any thing about password storing
Re: Just learned that FileZilla stores passwords in clear te
Settings - Interface -- Behavio(u)r section
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
Re: Just learned that FileZilla stores passwords in clear te
Hello !
I'm discovering this thread by accident, however, I'm trying very strongly NOT to overreact - but it is hard.
Filezilla is a program to which we grant the possibility to access our most private locations, web servers.
Feeding filezilla our SFTP credentials means telling the program how to ROOT access a server.
And yet, this is in the clear ?
This is a MAJOR security issue.
We're talking about easily copying root credentials. Thus turning a web server into a zombie, stealing its user data, stealing banking or commercial information, etcetera.
To me, it was so obvious Filezilla wouldn't store such crucial information as plain text, I never suspected the issue would even exist. I assume lots of other persons are in the same position : accepting to let the program remember passwords because it would be absurd to imagine the program isn't encrypting them.
Look, it's been eons (okay, maybe only geological ages) that Thunderbird, as well as other mail clients is encrypting saved passwords. A compromised email account is as much as a critical security flaw as compromised root login information. Same with web browsers, nobody would forgive Firefox, Chrome, Opera, IE or even Safari if they stored your passwords in plain text, and nobody would even imagine the passwords could be stored in the clear.
In terms of potential risk, Filezilla is on par, compromised credentials would be a dramatic issue.
It is fully possible to make the program remember passwords AND still encrypt them, so that they may not be harvested from a compromised storage location.
Ask the same question as OP about an email client or a web browser, and nobody would reply "just don't allow the program to remember the passwords, or if you allow the program to remember them, then you must accept that they can be read and copied at will", it simply wouldn't make sense.
So, why not make the addition of this feature a priority in Filezilla development ?
Please, please, dear developers, think about it
I'm discovering this thread by accident, however, I'm trying very strongly NOT to overreact - but it is hard.
Filezilla is a program to which we grant the possibility to access our most private locations, web servers.
Feeding filezilla our SFTP credentials means telling the program how to ROOT access a server.
And yet, this is in the clear ?
This is a MAJOR security issue.
We're talking about easily copying root credentials. Thus turning a web server into a zombie, stealing its user data, stealing banking or commercial information, etcetera.
To me, it was so obvious Filezilla wouldn't store such crucial information as plain text, I never suspected the issue would even exist. I assume lots of other persons are in the same position : accepting to let the program remember passwords because it would be absurd to imagine the program isn't encrypting them.
Look, it's been eons (okay, maybe only geological ages) that Thunderbird, as well as other mail clients is encrypting saved passwords. A compromised email account is as much as a critical security flaw as compromised root login information. Same with web browsers, nobody would forgive Firefox, Chrome, Opera, IE or even Safari if they stored your passwords in plain text, and nobody would even imagine the passwords could be stored in the clear.
In terms of potential risk, Filezilla is on par, compromised credentials would be a dramatic issue.
It is fully possible to make the program remember passwords AND still encrypt them, so that they may not be harvested from a compromised storage location.
Ask the same question as OP about an email client or a web browser, and nobody would reply "just don't allow the program to remember the passwords, or if you allow the program to remember them, then you must accept that they can be read and copied at will", it simply wouldn't make sense.
So, why not make the addition of this feature a priority in Filezilla development ?
Please, please, dear developers, think about it
- pshanb
- 504 Command not implemented
- Posts: 7
- Joined: 2013-07-18 17:04
- First name: Prash
- Last name: Shan
Re: Just learned that FileZilla stores passwords in clear te
I am a new FileZilla user and I stumbled upon (this old thread) but it doesn't end with a post saying that this SERIOUS security breach has been addressed.
Can someone please confirm that this is no longer an issue.
Can someone please confirm that this is no longer an issue.
Life is an open road - enjoy the ride!