Just learned that FileZilla stores passwords in clear text

Come here to discuss FileZilla and FTP in general

Moderator: Project members

Message
Author
Jim Westergren
500 Command not understood
Posts: 5
Joined: 2012-07-31 08:26
First name: Jim
Last name: Westergren

Just learned that FileZilla stores passwords in clear text

#1 Post by Jim Westergren » 2012-07-31 16:29

After using FileZilla for years I have now realized that the program is very dangerous as it stores the server connections details + passwords as clear text in a simple XML file in the computer.

So if my laptop would be stolen or hacked, it would be possible to get access to precious servers. Unbelievable.

I have now switched to CuteFTP which encrypts the login credentials.

What is even worse:
After uninstalling FileZilla, the files with the passwords in clear text where not removed.
/ Jim Westergren

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: Just learned that FileZilla stores passwords in clear te

#2 Post by boco » 2012-08-01 02:28

Good luck with ''Security through obscurity''.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

Jim Westergren
500 Command not understood
Posts: 5
Joined: 2012-07-31 08:26
First name: Jim
Last name: Westergren

Re: Just learned that FileZilla stores passwords in clear te

#3 Post by Jim Westergren » 2012-08-01 09:44

You see nothing wrong with this?
/ Jim Westergren

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Just learned that FileZilla stores passwords in clear te

#4 Post by botg » 2012-08-02 06:32

You can disable saving of passwords in the settings dialog of FileZilla.

Jim Westergren
500 Command not understood
Posts: 5
Joined: 2012-07-31 08:26
First name: Jim
Last name: Westergren

Re: Just learned that FileZilla stores passwords in clear te

#5 Post by Jim Westergren » 2012-08-02 08:27

Ok, then that should be default in my opinion and in the setting to save passwords there should be a warning that it is saved in plain text.
/ Jim Westergren

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: Just learned that FileZilla stores passwords in clear te

#6 Post by boco » 2012-08-03 00:47

Jim Westergren wrote:You see nothing wrong with this?
Nope, I don't save 'em. I agree that it shouldn't save passwords by default, though.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

lbarnett67
500 Command not understood
Posts: 2
Joined: 2012-08-10 11:57
First name: Larry
Last name: Barnett

Re: Just learned that FileZilla stores passwords in clear te

#7 Post by lbarnett67 » 2012-08-10 12:06

Woah I did not know that, thank you for letting us know - *rushes off and changes passwords!*

Jim Westergren
500 Command not understood
Posts: 5
Joined: 2012-07-31 08:26
First name: Jim
Last name: Westergren

Re: Just learned that FileZilla stores passwords in clear te

#8 Post by Jim Westergren » 2013-05-10 16:38

Any updates in this matter or nothing changed?
/ Jim Westergren

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: Just learned that FileZilla stores passwords in clear te

#9 Post by boco » 2013-05-10 17:53

You're being asked now when you use the QuickConnect feature for the first time.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

Cynyster

Re: Just learned that FileZilla stores passwords in clear te

#10 Post by Cynyster » 2013-05-22 11:38

Not to add gasoline to the fire. :lol:

But if you are worried about passwords being stored in plain text on your system... why aren't you encrypting your hard drive?

or... do what I do.

encrypt a thumb drive and run your filezilla from your thumb drive using "portable apps" (which is especially effective if you are using it at work and you don't want admins digging through your stuff--- just remember to back up your drive often)

User avatar
audiopro
226 Transfer OK
Posts: 295
Joined: 2013-03-23 12:55
First name: Keith
Location: Morecambe, England

Re: Just learned that FileZilla stores passwords in clear te

#11 Post by audiopro » 2013-05-22 18:22

If someone steals your computer - you will have far more to worry about than a few FTP passwords.
Morecambe - Where the sun goes at night

tjapado
500 Command not understood
Posts: 3
Joined: 2013-06-03 21:05
First name: tj
Last name: apado

Re: Just learned that FileZilla stores passwords in clear te

#12 Post by tjapado » 2013-06-03 21:24

is this pasword saving still vallid with the new version of fileZilla ?

I was searching in the settings tab only could not find any thing about password storing

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: Just learned that FileZilla stores passwords in clear te

#13 Post by boco » 2013-06-03 21:41

Settings - Interface -- Behavio(u)r section
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

oliverfr
500 Syntax error
Posts: 13
Joined: 2011-03-04 16:12
First name: just
Last name: oliver

Re: Just learned that FileZilla stores passwords in clear te

#14 Post by oliverfr » 2013-07-18 09:24

Hello !

I'm discovering this thread by accident, however, I'm trying very strongly NOT to overreact - but it is hard.
Filezilla is a program to which we grant the possibility to access our most private locations, web servers.
Feeding filezilla our SFTP credentials means telling the program how to ROOT access a server.

And yet, this is in the clear ?

This is a MAJOR security issue.
We're talking about easily copying root credentials. Thus turning a web server into a zombie, stealing its user data, stealing banking or commercial information, etcetera.

To me, it was so obvious Filezilla wouldn't store such crucial information as plain text, I never suspected the issue would even exist. I assume lots of other persons are in the same position : accepting to let the program remember passwords because it would be absurd to imagine the program isn't encrypting them.

Look, it's been eons (okay, maybe only geological ages) that Thunderbird, as well as other mail clients is encrypting saved passwords. A compromised email account is as much as a critical security flaw as compromised root login information. Same with web browsers, nobody would forgive Firefox, Chrome, Opera, IE or even Safari if they stored your passwords in plain text, and nobody would even imagine the passwords could be stored in the clear.
In terms of potential risk, Filezilla is on par, compromised credentials would be a dramatic issue.

It is fully possible to make the program remember passwords AND still encrypt them, so that they may not be harvested from a compromised storage location.
Ask the same question as OP about an email client or a web browser, and nobody would reply "just don't allow the program to remember the passwords, or if you allow the program to remember them, then you must accept that they can be read and copied at will", it simply wouldn't make sense.

So, why not make the addition of this feature a priority in Filezilla development ? :)

Please, please, dear developers, think about it :)

User avatar
pshanb
504 Command not implemented
Posts: 7
Joined: 2013-07-18 17:04
First name: Prash
Last name: Shan

Re: Just learned that FileZilla stores passwords in clear te

#15 Post by pshanb » 2013-07-18 17:36

I am a new FileZilla user and I stumbled upon (this old thread) but it doesn't end with a post saying that this SERIOUS security breach has been addressed.

Can someone please confirm that this is no longer an issue.
Life is an open road - enjoy the ride!

Locked