Page 1 of 1

Site Manager password security

Posted: 2019-04-04 09:41
by steveapple
I am concerned that Filezilla stores site FTP URLs in the clear and the corresponding password in Base64 encoding in an unencrypted XML file, "sitemanager.xml". This applies even to sites using FTP over TLS. This to me is a potentially serious security breach because, if a person gains access to one's computer or even to a backup copy of this file, the security of access to all one's managed FTP sites would be compromised. This creates the possibility for a malicious person to use such file theft to insert malware into websites or even destroy them altogether.
I would like to suggest that the sitemanager.xml and other related files should be optionally securely encrypted and protected by a user-supplied password used each time the application is opened or maximised. Would the developers consider (or are they considering) such a proposal? Does such a facility exist unkown to me?
Best, Steve.

Re: Site Manager password security

Posted: 2019-04-04 10:40
by botg
You can configure a master password in the settings dialog.

Re: Site Manager password security

Posted: 2019-04-04 12:05
by boco
Note that if an attacker indeed gets full access to your machine, your problems are far worse than just lost FileZilla passwords. That's really a worst case scenario.

Another note: Please, remember your master password well. FileZilla does not have any recovery backdoor and if you forget the master password, all login data is gone.