clear-text passwords

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
chrisdornan
500 Command not understood
Posts: 1
Joined: 2010-12-09 09:47
First name: Chris
Last name: Dornan

clear-text passwords

#1 Post by chrisdornan » 2010-12-09 10:42

FileZilla's storage of passwords in plain text is plain irresponsible -- luring users to store their passwords in plain text for malware to scoop up at leisure, the gift that keeps on giving for the botnets.

The standard reply that 'perfect security is not possible -- if trivial malware can get through why can't the O/S be entirely compromised' is a perfect example of the perfect being the enemy of the better. (Perfect security is of course impossible.)

The storing of passwords should be disabled in FileZilla until an option for securing them with a master password is available -- like FireFox provides.

At the very least a FAQ entry should be present alerting users to the issue and referencing articles explaining the options on the major platforms for using FileZilla without leaving your passwords sitting around in clear text.

User avatar
boco
Contributor
Posts: 26913
Joined: 2006-05-01 03:28
Location: Germany

Re: clear-text passwords

#2 Post by boco » 2010-12-10 08:48

FileZilla's storage of passwords in plain text is plain irresponsible -- luring users to store their passwords in plain text for malware to scoop up at leisure, the gift that keeps on giving for the botnets.
FileZilla is not responsible for the user keeping his/her system clean of malware infections. It is meant primarily for experienced users, anyway. I agree that FileZilla should not save passwords by default, though.
if trivial malware can get through why can't the O/S be entirely compromised
If malware manages to get on your machine, you lost. It can do everything you can, and more. Watching memory and HDD, log your keypresses etc.
The storing of passwords should be disabled in FileZilla until an option for securing them with a master password is available -- like FireFox provides.
Yes, it should be disabled by default, with a big fat red warning if you decide to opt-in.
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org

marian.ene
500 Command not understood
Posts: 1
Joined: 2011-03-13 16:20

Re: clear-text passwords

#3 Post by marian.ene » 2011-03-13 16:33

Indeed, by creating an account with Site Manager implies that I agree for my passwords to be stored (why in plain text, I don't know).
But aside from Site Manager, the logins/passwords are also stored for the Quickconnect, again, in plain text. That may be convenient, but anybody with access to my computer (be it malware, people phisically at my computer, or people from local net) can read all those logins/passwords. And you're not even making it mildly inconvenient to do that, like putting that stuff in a binary file, or at least archived, ANYTHING besides plain text.
I know that I'm never protected against a skilled hacker, but getting "hacked" by any computer illiterate that somehow stumbles upon sitemanager.xml and recentservers.xml sounds too shamefull to bare.

User avatar
boco
Contributor
Posts: 26913
Joined: 2006-05-01 03:28
Location: Germany

Re: clear-text passwords

#4 Post by boco » 2011-03-13 19:23

You could use the fzdefaults.xml file to set kiosk mode 1. This will make FileZilla unable to store and remember any passwords. I use it all the time. The template for fzdefaults.xml is in the docs subdirectory in FileZilla's program dir.
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: clear-text passwords

#5 Post by botg » 2011-03-13 20:29

The next version of FileZilla will have a checkbox in the settings dialog to disable saving of passwords.

iansane
500 Syntax error
Posts: 14
Joined: 2007-07-28 05:32

Re: clear-text passwords

#6 Post by iansane » 2013-06-25 23:55

This is just freaking great. I updated filezilla and it installed with the default set to not store passwords wiping out all the passwords in my site manager. This setting should have been turned off or a warning during the update. Luckily I have most of them saved in a backup of the sitemanager.xml.

User avatar
boco
Contributor
Posts: 26913
Joined: 2006-05-01 03:28
Location: Germany

Re: clear-text passwords

#7 Post by boco » 2013-06-26 02:57

Slowly I'm beginning to think there's a glitch somewhere. :(

That feature isn't supposed to enable itself. Upon using the QuickConnect bar for the first time, you are presented with the choice to enable it. Updating users won't see it.

Could you check for a setting named:

Code: Select all

        <Setting name="Prompt password change">0</Setting>
inside your FileZilla.xml? It's in ~/.filezilla or %APPDATA%\FileZilla, depending on OS.
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org

iansane
500 Syntax error
Posts: 14
Joined: 2007-07-28 05:32

Re: clear-text passwords

#8 Post by iansane » 2013-06-27 13:54

Hi Boco,

The setting is there and set to 0 now but I've already unchecked it in preferences and gone back and entered the passwords on several accounts.

I don't use the quick connect option. Well I have used it before to confirm a connection but then I go add the site in the site manager. I will admit it is possible at some point when using quick connect I absent mindedly clicked through a prompt about saving passwords but I don't think so. What I do know is I did a update and then tried to connect to a site to find the setting had been enabled at some point.

BTW I know clear text isn't safe but I have multiple website accounts all with different long secure passwords I could not possibly remember so I choose to just try to keep a secure computer and network. Although I suppose I could store them all in keepass or something instead.

Thanks

User avatar
boco
Contributor
Posts: 26913
Joined: 2006-05-01 03:28
Location: Germany

Re: clear-text passwords

#9 Post by boco » 2013-06-29 16:51

The setting is there and set to 0 now but I've already unchecked it in preferences and gone back and entered the passwords on several accounts.
That setting with a value of 0 just means the security question has been triggered.
My config doesn't have that line, maybe because I'm already on kiosk mode.

The real setting name is ''Kiosk mode''.
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org

Post Reply