FileZilla Forums

Welcome to the official discussion forums for FileZilla
Donate to project
It is currently 2014-04-23 06:38

All times are UTC




Post new topic Reply to topic  [ 9 posts ] 
Author Message
 Post subject: clear-text passwords
PostPosted: 2010-12-09 10:42 
Offline
500 Command not understood

Joined: 2010-12-09 09:47
Posts: 1
FileZilla's storage of passwords in plain text is plain irresponsible -- luring users to store their passwords in plain text for malware to scoop up at leisure, the gift that keeps on giving for the botnets.

The standard reply that 'perfect security is not possible -- if trivial malware can get through why can't the O/S be entirely compromised' is a perfect example of the perfect being the enemy of the better. (Perfect security is of course impossible.)

The storing of passwords should be disabled in FileZilla until an option for securing them with a master password is available -- like FireFox provides.

At the very least a FAQ entry should be present alerting users to the issue and referencing articles explaining the options on the major platforms for using FileZilla without leaving your passwords sitting around in clear text.


Top
 Profile  
 
 Post subject: Re: clear-text passwords
PostPosted: 2010-12-10 08:48 
Offline
226 Transfer OK
User avatar

Joined: 2006-05-01 03:28
Posts: 19659
Location: Germany
Quote:
FileZilla's storage of passwords in plain text is plain irresponsible -- luring users to store their passwords in plain text for malware to scoop up at leisure, the gift that keeps on giving for the botnets.
FileZilla is not responsible for the user keeping his/her system clean of malware infections. It is meant primarily for experienced users, anyway. I agree that FileZilla should not save passwords by default, though.

Quote:
if trivial malware can get through why can't the O/S be entirely compromised
If malware manages to get on your machine, you lost. It can do everything you can, and more. Watching memory and HDD, log your keypresses etc.

Quote:
The storing of passwords should be disabled in FileZilla until an option for securing them with a master password is available -- like FireFox provides.
Yes, it should be disabled by default, with a big fat red warning if you decide to opt-in.

_________________
### BEGIN SIGNATURE BLOCK ###
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
All support requests per PM will be ignored!
### END SIGNATURE BLOCK ###


Top
 Profile  
 
 Post subject: Re: clear-text passwords
PostPosted: 2011-03-13 16:33 
Offline
500 Command not understood

Joined: 2011-03-13 16:20
Posts: 1
Indeed, by creating an account with Site Manager implies that I agree for my passwords to be stored (why in plain text, I don't know).
But aside from Site Manager, the logins/passwords are also stored for the Quickconnect, again, in plain text. That may be convenient, but anybody with access to my computer (be it malware, people phisically at my computer, or people from local net) can read all those logins/passwords. And you're not even making it mildly inconvenient to do that, like putting that stuff in a binary file, or at least archived, ANYTHING besides plain text.
I know that I'm never protected against a skilled hacker, but getting "hacked" by any computer illiterate that somehow stumbles upon sitemanager.xml and recentservers.xml sounds too shamefull to bare.


Top
 Profile  
 
 Post subject: Re: clear-text passwords
PostPosted: 2011-03-13 19:23 
Offline
226 Transfer OK
User avatar

Joined: 2006-05-01 03:28
Posts: 19659
Location: Germany
You could use the fzdefaults.xml file to set kiosk mode 1. This will make FileZilla unable to store and remember any passwords. I use it all the time. The template for fzdefaults.xml is in the docs subdirectory in FileZilla's program dir.

_________________
### BEGIN SIGNATURE BLOCK ###
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
All support requests per PM will be ignored!
### END SIGNATURE BLOCK ###


Top
 Profile  
 
 Post subject: Re: clear-text passwords
PostPosted: 2011-03-13 20:29 
Offline
Site Admin
User avatar

Joined: 2004-02-23 20:49
Posts: 22551
The next version of FileZilla will have a checkbox in the settings dialog to disable saving of passwords.


Top
 Profile  
 
 Post subject: Re: clear-text passwords
PostPosted: 2013-06-25 23:55 
Offline
500 Syntax error

Joined: 2007-07-28 05:32
Posts: 14
This is just freaking great. I updated filezilla and it installed with the default set to not store passwords wiping out all the passwords in my site manager. This setting should have been turned off or a warning during the update. Luckily I have most of them saved in a backup of the sitemanager.xml.


Top
 Profile  
 
 Post subject: Re: clear-text passwords
PostPosted: 2013-06-26 02:57 
Offline
226 Transfer OK
User avatar

Joined: 2006-05-01 03:28
Posts: 19659
Location: Germany
Slowly I'm beginning to think there's a glitch somewhere. :(

That feature isn't supposed to enable itself. Upon using the QuickConnect bar for the first time, you are presented with the choice to enable it. Updating users won't see it.

Could you check for a setting named:

Code:
        <Setting name="Prompt password change">0</Setting>


inside your FileZilla.xml? It's in ~/.filezilla or %APPDATA%\FileZilla, depending on OS.

_________________
### BEGIN SIGNATURE BLOCK ###
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
All support requests per PM will be ignored!
### END SIGNATURE BLOCK ###


Top
 Profile  
 
 Post subject: Re: clear-text passwords
PostPosted: 2013-06-27 13:54 
Offline
500 Syntax error

Joined: 2007-07-28 05:32
Posts: 14
Hi Boco,

The setting is there and set to 0 now but I've already unchecked it in preferences and gone back and entered the passwords on several accounts.

I don't use the quick connect option. Well I have used it before to confirm a connection but then I go add the site in the site manager. I will admit it is possible at some point when using quick connect I absent mindedly clicked through a prompt about saving passwords but I don't think so. What I do know is I did a update and then tried to connect to a site to find the setting had been enabled at some point.

BTW I know clear text isn't safe but I have multiple website accounts all with different long secure passwords I could not possibly remember so I choose to just try to keep a secure computer and network. Although I suppose I could store them all in keepass or something instead.

Thanks


Top
 Profile  
 
 Post subject: Re: clear-text passwords
PostPosted: 2013-06-29 16:51 
Offline
226 Transfer OK
User avatar

Joined: 2006-05-01 03:28
Posts: 19659
Location: Germany
Quote:
The setting is there and set to 0 now but I've already unchecked it in preferences and gone back and entered the passwords on several accounts.
That setting with a value of 0 just means the security question has been triggered.
My config doesn't have that line, maybe because I'm already on kiosk mode.

The real setting name is ''Kiosk mode''.

_________________
### BEGIN SIGNATURE BLOCK ###
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
All support requests per PM will be ignored!
### END SIGNATURE BLOCK ###


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 

All times are UTC


Who is online

Users browsing this forum: Bing [Bot] and 22 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Dedicated server provided by Artmotion.
Forum sponsored by Everyware.ch.
Powered by phpBB® Forum Software © phpBB Group