Hello !
I'm discovering this thread by accident, however, I'm trying very strongly NOT to overreact - but it is hard.
Filezilla is a program to which we grant the possibility to access our most private locations, web servers.
Feeding filezilla our
SFTP credentials means telling the program how to ROOT access a server.
And yet, this is in the clear ?
This is a MAJOR security issue.
We're talking about easily copying root credentials. Thus turning a web server into a zombie, stealing its user data, stealing banking or commercial information, etcetera.
To me, it was
so obvious Filezilla wouldn't store such crucial information as plain text, I never suspected the issue would even exist. I assume
lots of other persons are in the same position : accepting to let the program remember passwords because it would be absurd to imagine the program isn't encrypting them.
Look, it's been eons (okay, maybe only geological ages) that Thunderbird, as well as other mail clients is encrypting saved passwords. A compromised email account is as much as a critical security flaw as compromised root login information. Same with web browsers, nobody would forgive Firefox, Chrome, Opera, IE or even Safari if they stored your passwords in plain text, and nobody would even imagine the passwords could be stored in the clear.
In terms of potential risk, Filezilla is on par, compromised credentials would be a dramatic issue.
It is fully possible to make the program remember passwords AND still encrypt them, so that they may not be harvested from a compromised storage location.
Ask the same question as OP about an email client or a web browser, and nobody would reply "just don't allow the program to remember the passwords, or if you allow the program to remember them, then you must accept that they can be read and copied at will", it simply wouldn't make sense.
So, why not make the addition of this feature a priority in Filezilla development ?
Please, please, dear developers, think about it