FileZilla Forums

After using FileZilla for years I have now realized that the program is very dangerous as it stores the server connections details + passwords as clear text in a simple XML file in the computer.

So if my laptop would be stolen or hacked, it would be possible to get access to precious servers. Unbelievable.

I have now switched to CuteFTP which encrypts the login credentials.

What is even worse:
After uninstalling FileZilla, the files with the passwords in clear text where not removed.

Good luck with ''Security through obscurity''.

You see nothing wrong with this?

You can disable saving of passwords in the settings dialog of FileZilla.

Ok, then that should be default in my opinion and in the setting to save passwords there should be a warning that it is saved in plain text.

Jim Westergren wrote:You see nothing wrong with this?

Nope, I don't save 'em. I agree that it shouldn't save passwords by default, though.

Woah I did not know that, thank you for letting us know - *rushes off and changes passwords!*

Any updates in this matter or nothing changed?

You're being asked now when you use the QuickConnect feature for the first time.

Not to add gasoline to the fire.

But if you are worried about passwords being stored in plain text on your system... why aren't you encrypting your hard drive?

or... do what I do.

encrypt a thumb drive and run your filezilla from your thumb drive using "portable apps" (which is especially effective if you are using it at work and you don't want admins digging through your stuff--- just remember to back up your drive often)

If someone steals your computer - you will have far more to worry about than a few FTP passwords.

is this pasword saving still vallid with the new version of fileZilla ?

I was searching in the settings tab only could not find any thing about password storing

Settings - Interface -- Behavio(u)r section

Hello !

I'm discovering this thread by accident, however, I'm trying very strongly NOT to overreact - but it is hard.
Filezilla is a program to which we grant the possibility to access our most private locations, web servers.
Feeding filezilla our SFTP credentials means telling the program how to ROOT access a server.

And yet, this is in the clear ?

This is a MAJOR security issue.
We're talking about easily copying root credentials. Thus turning a web server into a zombie, stealing its user data, stealing banking or commercial information, etcetera.

To me, it was so obvious Filezilla wouldn't store such crucial information as plain text, I never suspected the issue would even exist. I assume lots of other persons are in the same position : accepting to let the program remember passwords because it would be absurd to imagine the program isn't encrypting them.

Look, it's been eons (okay, maybe only geological ages) that Thunderbird, as well as other mail clients is encrypting saved passwords. A compromised email account is as much as a critical security flaw as compromised root login information. Same with web browsers, nobody would forgive Firefox, Chrome, Opera, IE or even Safari if they stored your passwords in plain text, and nobody would even imagine the passwords could be stored in the clear.
In terms of potential risk, Filezilla is on par, compromised credentials would be a dramatic issue.

It is fully possible to make the program remember passwords AND still encrypt them, so that they may not be harvested from a compromised storage location.
Ask the same question as OP about an email client or a web browser, and nobody would reply "just don't allow the program to remember the passwords, or if you allow the program to remember them, then you must accept that they can be read and copied at will", it simply wouldn't make sense.

So, why not make the addition of this feature a priority in Filezilla development ?

Please, please, dear developers, think about it

I am a new FileZilla user and I stumbled upon (this old thread) but it doesn't end with a post saying that this SERIOUS security breach has been addressed.

Can someone please confirm that this is no longer an issue.