FileZilla Forums

Did you check the "Remember" checkbox?

When connecting to the server from the Site Manager, there is no "Remember" checkbox.

botg wrote:I'm glad you like a feature that doesn't even increase security.

Why the snide comment?

You said yourself that

botg wrote:Incidentally, this functionality is indistinguishable from not storing passwords at all from a security perspective.

To me this sounds like the feature will at least increase usability without compromising security.
If you didn't value usability then why create FileZilla Client in the first place?

Also it helps to look at how people are using software. Assuming many are storing their passwords in plaintext then you can say that is lazy and not responsible behavior. And you would be correct -- but still not helping the issue. But giving the option to make stored passwords "indistinguishable from not storing passwords at all from a security perspective" to me sounds much like "a feature that does [...] increase security".

Thank you for that and have a nice weekend!

botg wrote:I'm glad you like a feature that doesn't even increase security.

But it does. It is much easier for malware to just wait until some date in the future, and silently read the password file. This could be hidden in any kind of program, it doesn't even have to be continuously active or run in the background or do anything. And it doesn't depend on FileZilla running or the user doing anything FTP related. A program can just wait until whenever it's being run after some date in the future, and steal the passwords.

Now with this new security feature, malware would have to run continuously in the background, access FileZilla's program memory (which isn't always possible), or run a keylogger, or intercept traffic (which still only works in case of plain FTP), etc.

It's just like you say: attacker category A and B. There is a HUGE difference between those two. Category A doesn't have to be active, or keep running in the background. It can attack at just one random moment, and FileZilla doesn't have to be open at the same time.

Category B on the other hand requires to be actively running in the background, constantly monitoring or intercepting stuff. And it requires FileZilla to open connections during that time. You mention two kinds of "passive" attackers in category B, but they're not passive at all. Not actively running = no attack vector.

This is:
1. harder to implement
and more importantly
2. MUCH harder to do unnoticed

So thank you! Thanks a LOT for finally adding this much beloved feature! ♥ Can I donate somewhere to express my gratitude? Do you accept bitcoins?

boco wrote:When connecting to the server from the Site Manager, there is no "Remember" checkbox.

Will be fixed in the final release.

kazimir_ wrote:

botg wrote:I'm glad you like a feature that doesn't even increase security.

But it does.

A master password does not offer any additional security. It is no more secure than not saving passwords at all, functionality that has already been in FileZilla for many years.

Technically using a master password isn't even as secure. If not saving passwords, keylogging malware can only intercept those passwords that are entered while the malware is running. With master passwords, it immediately gets access to all encrypted passwords as soon a the master password is entered.

I spoke of this before, and finally the day has come: In the next version of FileZilla, it will be much more difficult to use insecure plain FTP, it will require explicit confirmation.