Just learned that FileZilla stores passwords in clear text

Come here to discuss FileZilla and FTP in general

Moderator: Project members

Message
Author
User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: Just learned that FileZilla stores passwords in clear te

#16 Post by boco » 2013-07-18 17:40

The developer said that FileZilla will never obfuscate passwords. Search the other threads discussing that topic.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

oliverfr
500 Syntax error
Posts: 13
Joined: 2011-03-04 16:12
First name: just
Last name: oliver

Re: Just learned that FileZilla stores passwords in clear te

#17 Post by oliverfr » 2013-07-19 00:22

Thanks for the heads up, Boco, I'm grateful you clarified this situation for me.

I'm giving up on filezilla from now on, I can't trust a program that won't do anything to minimize the harm I'll suffer if I show a single moment of weakness and accidentally allow access to the location where the passwords are stored.

I'm also already doing my very best on the places where my voice reaches audience, to push the webmasters that I know to move to other programs.

Nothing heinous about it, but I really think it's for the best. Professionals in enterprise environment may trust filezilla because there's a whole security policy and they're trained at it, but I now wouldn't recommend this to anyone else. Philosophy debates aside, this acts as an actual security hole, and this is so unexpected (who'd believe Fz stores credentials as plain text) you can be sure dozens of thousands of webmasters see the security of their servers put at risk.

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Just learned that FileZilla stores passwords in clear te

#18 Post by botg » 2013-07-19 05:58

The real question is this: Why do you store passwords? Let your voice carry the message not to save passwords in the first place. Password saving can be disabled in FileZilla.

oliverfr
500 Syntax error
Posts: 13
Joined: 2011-03-04 16:12
First name: just
Last name: oliver

Re: Just learned that FileZilla stores passwords in clear te

#19 Post by oliverfr » 2013-07-19 08:30

I can't say I adore typing twenty-letters long passwords that I am unable to remember by memory. I must connect to my servers at least 40 times a day for a variety of reasons, and I couldn't be more thrilled to have to type everything again every time. Even resorting to a program like keepass would still mean major annoyance and a considerable lot of time lost on it.

On the opposite, WinSCP means I'll be prompted once for one password. Oh, the annoyance.

But I'm giving up, you clearly only care about :
- forcing your personal elitist opinion on others
- refusing to lessen the harm the average user (as opposed to the expert) will suffer when he fails somewhere, sometime

And I'll still loudly try to deter webmasters from using filezilla in the future (well, actually, I already published my warnings, but I'll seize opportunities in the future).
This is really a pity, a whole program's fantastic worth compromised by mental rigidity, I really, really hope the community will be listened in some remote future :(

User avatar
audiopro
226 Transfer OK
Posts: 295
Joined: 2013-03-23 12:55
First name: Keith
Location: Morecambe, England

Re: Just learned that FileZilla stores passwords in clear te

#20 Post by audiopro » 2013-07-19 09:18

'oliverfr'
You seem to have a real axe to grind with Filezilla - the answer is simple - don't use it.

I have a serious hatred of social media but I don't rant about it, I just don't do it - simple.
Morecambe - Where the sun goes at night

oliverfr
500 Syntax error
Posts: 13
Joined: 2011-03-04 16:12
First name: just
Last name: oliver

Re: Just learned that FileZilla stores passwords in clear te

#21 Post by oliverfr » 2013-07-19 11:43

@Audiopro : the proper term would be that I feel "betrayed".
I was putting blind trust in Filezilla and giving it my most important credentials, and it was storing it in plain text. I've given it a bit of thought, and in terms of "how much damage could it cause me, in terms of money lost, time lost", the only credentials that are more vital to me than those stored in filezilla, are the username and password to access my bank account online.
I won't pretend the fault lied with anyone else but me : if somebody can acess my .xml file, it means I was at fault. But then again, I am just an average person, not working and trained in entreprise environment, simply striving to do my best even though I'm imperfect. Most of the security lessons I have learnt have been learnt by trial and error : there have been errors, yep.

So what ? I do mistakes, I leave my computer for my wife to use, and I sometimes let my kids use my session instead of starting them their session. Does that mean I can simply go and post my credentials on pastebin.com for the little difference it would make ?
Take web browsers as a comparison.
From the same starting point, my imperfection, they do make a difference, it would require lots of skill and effort (OK, and a master password) to steal my credentials, making an actual successful theft highly improbable.
From the same starting point, filezilla greets anyone who made it into my system with open arms, even the wannabe newbie hacker with sheer luck and no talent.

And, the worst thing, Filezilla never mentions this anywhere to its users. While everyone will automatically assume this is at least as safe as a web browser.
This way, filezilla really does put a great number of its users at unnecessary risk.

Why not, simply, popup a warning message, in big, the first time a password is stored, to tell "warning, security is your entire responsibility and passwords are stored in plain text".

I could have been selfish and simply given up on Fz.
But being selfish doesn't help much. I want to help, in my own way. That's why I've been spreading the word, to prevent other average persons like me from being at high risk while they weren't even aware.

Well, I'm leaving on holidays for two weeks. Sorry if the discussion was heated, I still don't feel heinous today. I wish everyone, grudges or not, a wonderful summer :)

User avatar
audiopro
226 Transfer OK
Posts: 295
Joined: 2013-03-23 12:55
First name: Keith
Location: Morecambe, England

Re: Just learned that FileZilla stores passwords in clear te

#22 Post by audiopro » 2013-07-19 12:10

The only danger I see is from someone using your computer when you are not there.
I have never been concerned about my wife or kids hacking my computer.

Enjoy your break :)
Morecambe - Where the sun goes at night

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Just learned that FileZilla stores passwords in clear te

#23 Post by botg » 2013-07-20 08:24

Why not, simply, popup a warning message, in big, the first time a password is stored, to tell "warning, security is your entire responsibility and passwords are stored in plain text".
You are already prompted whether you want to store passwords when using the quickconnect bar for the first time with a non-anonymous account.

PJOttCan
500 Command not understood
Posts: 1
Joined: 2013-07-20 19:21
First name: Paul
Last name: Johnston

Re: Just learned that FileZilla stores passwords in clear te

#24 Post by PJOttCan » 2013-07-20 19:32

I agree wholeheartedly that this is a bad idea and am not happy with the responses from the developers. Why is it only "Store in plaintext or don't store" and not the third option "store encrypted".

Why not employ an internal password vault so when we start FZ we're asked a single password that then makes access to individual entries' vault-protected passwords possible? Instead of storing a plaintext password per entry you store a Password vault key. This seems like a very viable solution.

Yes, entering 20-character strong passwords each time is annoying. You have a very nice product, otherwise.

It would be nice if you guys could state your rationale for not encrypting passwords. Afterall, IPSwitch and their WS_FTP product has been doing it for years.

User avatar
audiopro
226 Transfer OK
Posts: 295
Joined: 2013-03-23 12:55
First name: Keith
Location: Morecambe, England

Re: Just learned that FileZilla stores passwords in clear te

#25 Post by audiopro » 2013-07-20 20:50

Ah Ipswitch - have you used their latest product and found it intuitive?
I used WSFTP95 for years and had no problems with it.
I upgraded to the windows version and had all sorts of problems uploading to the wrong server.

What exactly is your percieved security problem with Filezilla?
They store passwords in plain text - who can read them?
Morecambe - Where the sun goes at night

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Just learned that FileZilla stores passwords in clear te

#26 Post by botg » 2013-07-20 21:16

Why not employ an internal password vault so when we start FZ we're asked a single password that then makes access to individual entries' vault-protected passwords possible?
If there's malware on your computer that can read plaintext passwords, it can just as well intercept your master password.

flagpole
425 Can't open data connection
Posts: 46
Joined: 2013-07-30 14:45
First name: nigel
Last name: coldwell

Re: Just learned that FileZilla stores passwords in clear te

#27 Post by flagpole » 2013-07-30 14:54

botg wrote: If there's malware on your computer that can read plaintext passwords, it can just as well intercept your master password.
Only if the malware is running whilst i enter my password.

if something nasty runs for a second and even sandboxed it can have away with your filezilla stored passwords.

that you are asked if you want to store passwords is not sufficient. it does not say that passwords are stored in plain text. I wonder how many of your users are aware of what you are doing?

it's simply irresponsible. I wonder what percentage phishing, DDoS traffic, drive by downloads, spam and all the other internet nasties are due to server passwords obtained from filezilla?

it's often over used, but i was actually shocked when i heard about this.

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Just learned that FileZilla stores passwords in clear te

#28 Post by botg » 2013-07-30 18:17

I wonder what percentage phishing, DDoS traffic, drive by downloads, spam and all the other internet nasties are due to server passwords obtained from filezilla?
I wonder what percentage phishing, DDoS traffic, drive by downloads, spam and all the other internet nasties are due to people not preventing malware infections in the first place.

flagpole
425 Can't open data connection
Posts: 46
Joined: 2013-07-30 14:45
First name: nigel
Last name: coldwell

Re: Just learned that FileZilla stores passwords in clear te

#29 Post by flagpole » 2013-07-30 18:55

botg wrote:I wonder what percentage phishing, DDoS traffic, drive by downloads, spam and all the other internet nasties are due to people not preventing malware infections in the first place.
A great deal i'm sure. But neither you nor I can stop that.

But however much is the responsibility of FileZilla pwned passwords that responsibility stops here. Personally i couldn't just brush that off. I would do something about it. It's like disabling all the in car airbags because safe drivers don't need them. but not telling anyone that's what you've done.

I certainly feel betrayed, as i'm sure many of your users do when they find this out. I'm gutted that i recommended FZ to people.

I keep reading this quote "If your system is secure, you can use nuclear missile launch codes as desktop background." - well if my aunt had balls she'd be my uncle. in the real world people get malware...

njpsolid
500 Command not understood
Posts: 1
Joined: 2013-08-11 15:17
First name: Azees
Last name: Ishola

Re: Just learned that FileZilla stores passwords in clear te

#30 Post by njpsolid » 2013-08-11 15:31

Its safe using filleZillla. That is why you have preferences. You can clear quickly clear your user cpanel details using the Quickconnect. I dont see why this is an issue.
<Removed, not allowed>

Locked