Plain text password storage

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Locked
Message
Author
t5
500 Command not understood
Posts: 1
Joined: 2007-09-12 07:40

Plain text password storage

#1 Post by t5 » 2007-09-12 08:07

Site Manager settings are stored in Documents and Settings\User Name\Application Data\FileZilla\sitemanager.xml file with passwords in plain text format. Is it possible to store these passwords in encrypted format like it was in FileZilla 2?

User avatar
botg
Site Admin
Posts: 33056
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

#2 Post by botg » 2007-09-12 11:26

This is by design. It's the task of the operating system to protect the user's files.

radsluk
500 Command not understood
Posts: 1
Joined: 2007-09-12 11:49

unprotected password storage???

#3 Post by radsluk » 2007-09-12 11:53

i don't know man, is it problem to store hash of passwords instead of password itself?
i think it's radher sick to hope that operating sys will protect such things specially when most of people have win-shit
it seems i'll use old filezilla
:?

User avatar
botg
Site Admin
Posts: 33056
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: unprotected password storage???

#4 Post by botg » 2007-09-12 12:23

radsluk wrote:i don't know man, is it problem to store hash of passwords instead of password itself?
Not possible since hashes aren't reversible. And the original password is needed for login.

Jive
500 Command not understood
Posts: 1
Joined: 2007-09-12 19:17

#5 Post by Jive » 2007-09-12 19:26

I have to agree completely with the original poster. Storing passwords as plain text in the config file is just bad news. It is for this reason that I completely removed FZ3 upon finding this out (about 2 minutes after I installed it).

It may be the responsibility of the OS to secure these files, but what OS does this? Definitely not Windows, which appears to be the platform for the majority of current users.

Even though the password encryption was not extremely secure in FZ2, at least they weren't overtly visible. Now, there's no way I could open the config file for FZ3 without someone just passing by to see all of my (and my clients') passwords.

It's unfortunate that I won't be using this new version, as it seems that a lot of work has gone into it.

TonyZ
500 Command not understood
Posts: 1
Joined: 2007-09-13 03:19
Contact:

Re: unprotected password storage???

#6 Post by TonyZ » 2007-09-13 03:37

botg wrote:
radsluk wrote:i don't know man, is it problem to store hash of passwords instead of password itself?
Not possible since hashes aren't reversible. And the original password is needed for login.
Plain text storage of passwords is a serious security breach. This can be fixed fairly simply as follows:

1) use a random number generator where the seed is based on a hash of the host name.
2) for each character of the password, generate a random number, and add it to the value of the character to create a code which is stored as hexadecimal or octal in the sitemanager.xml file.

For decoding, the process is reversed. The random number generator is re-initialized with the hash of the host name, and each successive random number is subtracted from the corresponding stored hexadecimal code to regenerate the characters of the plain-text password.

The whole procedure should not take more than 20 or 30 lines of code.

User avatar
boco
Contributor
Posts: 25189
Joined: 2006-05-01 03:28
Location: Germany

Re: unprotected password storage???

#7 Post by boco » 2007-09-13 04:59

TonyZ wrote:
botg wrote:
radsluk wrote:i don't know man, is it problem to store hash of passwords instead of password itself?
Not possible since hashes aren't reversible. And the original password is needed for login.
Plain text storage of passwords is a serious security breach. This can be fixed fairly simply as follows:

1) use a random number generator where the seed is based on a hash of the host name.
2) for each character of the password, generate a random number, and add it to the value of the character to create a code which is stored as hexadecimal or octal in the sitemanager.xml file.

For decoding, the process is reversed. The random number generator is re-initialized with the hash of the host name, and each successive random number is subtracted from the corresponding stored hexadecimal code to regenerate the characters of the plain-text password.

The whole procedure should not take more than 20 or 30 lines of code.
The source of Filezilla is Open Source. The hacker would download the sourcecode, get your .xml file, reverse the process. What have you gained? This method would be a good protection from kibitzing, however.

User avatar
botg
Site Admin
Posts: 33056
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: unprotected password storage???

#8 Post by botg » 2007-09-13 07:51

boco wrote:The source of Filezilla is Open Source. The hacker would download the sourcecode, get your .xml file, reverse the process. What have you gained? This method would be a good protection from kibitzing, however.
Press Win+L whenever you leave your computer and set a BIOS password. No kibitzing possible.

FileFirst
504 Command not implemented
Posts: 10
Joined: 2007-09-19 03:46

That is an incredibly lame excuse

#9 Post by FileFirst » 2007-09-19 03:55

No offense, but there's no excuse for storing passwords in plain text in this day and age.

Encryption algoritym's are open source too. You can get one cheap. Leaving passwords in open source is just an invitaiton for Filezilla config files to become the immediate primary target for hijack on the 'net. You could at least make it challenging for them to hack it out.

Anyone who knows anything about programming (and certainly the Filzilla developers do) knows that Windows lacks any real file protection for the logged on user and is wide open to theft.

Time to find a new FTP client.

User avatar
botg
Site Admin
Posts: 33056
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: That is an incredibly lame excuse

#10 Post by botg » 2007-09-19 09:24

Time to find a new FTP client.
Goodbye.

quark
500 Syntax error
Posts: 15
Joined: 2004-09-18 16:14
First name: Asbjørn
Last name: Ulsberg
Location: Oslo, Norway
Contact:

#11 Post by quark » 2007-09-19 13:18

I have to agree with the OP too. Passwords should never be stored in plain text, anywhere. The encryption algorithm needs to incorporate a key that isn't known to the FileZilla codebase, which of course is available to everyone since it's open source. When FileZilla installs, it can ask the user to provide a "master password" or to press a random set of letters that will act as the private key used to encrypt and decrypt all local passwords inside the XML file. Since this key is only known on the client computer and by the user (the password can even be entered every time FileZilla starts to not have to save it on disk anywhere), the XML file is useless without the key.

The previous versions of FileZilla stored passwords in a (seemingly) encrypted manner. I have no idea how hard those were to brute force and break, but since older versions had this, why doesn't the new one have it too?
«Just because the fuck has a library card, it doesn't make him Yoda» - Detective David Mills, Se7en.

User avatar
botg
Site Admin
Posts: 33056
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

#12 Post by botg » 2007-09-19 14:18

Because it's pointless. End of discussion.

Locked