FTP Site Manager - Passwords *not* encrypted

Come here to discuss FileZilla and FTP in general

Moderator: Project members

Message
Author
User avatar
jaycent
503 Bad sequence of commands
Posts: 20
Joined: 2007-09-19 20:08

FTP Site Manager - Passwords *not* encrypted

#1 Post by jaycent » 2007-09-19 20:28

btog: After reading multiple posts on the forums, it is clear you do not agree that passwords should be stored encrypted. I fail to understand your reasoning behind this.

Why was Keepass invented? Should we just store our passwords in a notepad document and throw it in our AppData folder? That is security by obscurity and it is wrong.

You have to understand that in an enterprise, people use their Active Directory accounts to log into internal FTP servers. We use SSL or SSH to encrypt the connection so the login is not exposed. The login info is passed to the local server which then uses it for file system access. Without this crucial piece, users would have to remember more logins and would not have the tight controls that an Active Directory login requires.

In the discussion that you locked, it was clear that the majority were requesting encrypted passwords. Why would you not want to meet the overwhelming requests by your users? That will only muddy your reputation and in the end devalue this project.

Until this issue is fixed, FileZilla as of today, will no longer be installed on the 100+ computers that use it on our network. This very much grieves me as I have been a huge fan of FileZilla for years. I no longer can recommend this product to anyone, both enterprise and home user.

:(

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

#2 Post by botg » 2007-09-19 21:53

Should we just store our passwords in a notepad document and throw it in our AppData folder? That is security by obscurity and it is wrong.
Yes, you should. If you protect your AppData, it's perfectly secure, nothing obscure in any way.
You have to understand that in an enterprise, people use their Active Directory accounts to log into internal FTP servers. We use SSL or SSH to encrypt the connection so the login is not exposed. The login info is passed to the local server which then uses it for file system access. Without this crucial piece, users would have to remember more logins and would not have the tight controls that an Active Directory login requires.
So, let's say FileZilla would obfuscate it's passwords. What would that change? Instead of the raw passwords, an attacker gets the obscured password. Since FileZilla is open source, he would just look at the source and *ding* he has the original password. And in case of proprietary software he still has the source. Take a disassembler and *ding* again original password. And that doesn't even consider tools specialized in unobfuscating passwords which known the obfuscation schemes of most programs.

If the user does not want to memorize passwords, he has to store them somehow in some place. If that place is not secure, he can as well put a post-it note on his monitor.
In the discussion that you locked, it was clear that the majority were requesting encrypted passwords. Why would you not want to meet the overwhelming requests by your users? That will only muddy your reputation and in the end devalue this project.
If you see a couple of flower people protesting to legalize certain drugs, do you see the majority of the population protest against it at the same time? No? Thought so. Yet by your logic, the few protesters would be the majority.

User avatar
jaycent
503 Bad sequence of commands
Posts: 20
Joined: 2007-09-19 20:08

#3 Post by jaycent » 2007-09-20 01:39

If you protect your AppData, it's perfectly secure, nothing obscure in any way.
Lets take a step back and look at the environment that computers are typically in. In the Enterprise environment you have tight controls in place to ensure security on any given computer. What you cannot, no matter how good your security is, factor in the ID10T factor. The ID10T factor comes into play when you tell your user to lock their computer when they leave their desk and they don't. The ID10T factor comes into play when someone opens that email that contains the latest virus that your virus scanner was supposed to catch but didn't. The ID10T factor comes into play when you have multiple people using one computer, all of whom are local admins but do not share the same FTP privileges. The list goes on and on. The point is, wherever you can help secure one area, the more smoothed out the security for the entire network can be. You can remidy all of those scenarios I just mentioned one way or another, I know! But at what cost? If the FTP program simply encrypts your password database, you do not need all those other controls in place! Yes, the cost gets transfered to the developer. But, if it only costs $500 to code it, then the savings are immense!. You no longer are spending $10 for a sensor based computer locking device for each of your 10,000 users.
Since FileZilla is open source, he would just look at the source and *ding* he has the original password
You are assuming that FileZilla should use a hard-coded password or encryption key. You should never do that in a program. What you should do, is ask the user for a Master password. Salt it to create the hash used to encrypt the Site Manager db. The salt would make it virtually impossible for it to be decrypted. I know it can be done because I use programs that do it. Keepass for example does this or something like it (which is open source and on sourceforge). From their site:
# SHA-256 is used as password hash. SHA-256 is a 256-bit cryptographically secure one-way hash function. Your master password is hashed using this algorithm and its output is used as key for the encryption algorithms.
# In contrast to many other hashing algorithms, no attacks are known yet against SHA-256.

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

#4 Post by botg » 2007-09-20 08:58

jaycent wrote:What you should do, is ask the user for a Master password. Salt it to create the hash used to encrypt the Site Manager db. The salt would make it virtually impossible for it to be decrypted.
Aha, now we're getting to the core of what you want. Password protected user settings.
FileZilla 2 did not have this, yet the continued lack of it suddenly caused a 180° change in your opinion about FZ:
Until this issue is fixed, FileZilla as of today, will no longer be installed on the 100+ computers that use it on our network.
What you cannot, no matter how good your security is, factor in the ID10T factor. The ID10T factor comes into play when you tell your user to lock their computer when they leave their desk and they don't
What if the user leaves FZ running in addition to not locking the system?

User avatar
jaycent
503 Bad sequence of commands
Posts: 20
Joined: 2007-09-19 20:08

#5 Post by jaycent » 2007-09-20 15:04

now we're getting to the core of what you want
The ultimate goal/wish is that there is a secure *encrypted* database to store the passwords in. It doesn't matter to me how that is accomplished as long as it is secure. What the users need to do now, is store the account information in Keepas then manually type it into FileZilla. Why not just save the user that hassle?
What if the user leaves FZ running in addition to not locking the system?
Welcome to the enterprise environment. Looks like an auto timeout in FileZilla like what Keepass does would help prevent a breach in this case, eh?

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

#6 Post by botg » 2007-09-20 15:11

jaycent wrote:Welcome to the enterprise environment. Looks like an auto timeout in FileZilla like what Keepass does would help prevent a breach in this case, eh?
Why not just set the screensaver to a 1 minute timeout?

User avatar
jaycent
503 Bad sequence of commands
Posts: 20
Joined: 2007-09-19 20:08

#7 Post by jaycent » 2007-09-21 01:16

Ha. You are too funny, botg. :roll:

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

#8 Post by botg » 2007-09-21 06:50

jaycent wrote:Ha. You are too funny, botg. :roll:
Why? It's a working solution, far cheaper than the "$10 for a sensor based computer locking device".

Palewolf
500 Command not understood
Posts: 2
Joined: 2007-09-21 10:37

#9 Post by Palewolf » 2007-09-21 10:59

Hey! I did put a 20 minutes screensaver timeout as gpo at work a few months ago. People got a little confused at first, but it is definitively better than having lots of computers running authenticated users without any protection for hours.

Anyways, as I stated in another thread, I think master password is the way to go.

User avatar
jaycent
503 Bad sequence of commands
Posts: 20
Joined: 2007-09-19 20:08

#10 Post by jaycent » 2007-09-21 15:07

botg, the screen saver timeout is only part of the problem. Like I said earlier, you can remedy almost all of your security threats one way or another but at a cost. A lot of people do things at their desk other than simply type on their keyboard. They look at printed papers, make a phone call while looking at those papers, stand up and get something out of the shelf behind them, etc, etc. A 1 minute timeout would drive these people insane. Even if you did implement it, that still wouldn't solve a host of other issues presented by storing your passwords in clear text.

Botg, you need to read up on the Sarbanes Oxley Act, SAS-70 audits and general security papers. None of them will say it is ok to store your password in clear text. As a matter of fact, they will say you must make sure they are not.

I know you believe it is not the programs responsibility to secure people's passwords. But you need to understand that it helps a great deal. It balances out the environment and ensures there are no "sharp edges" of security people have to deal with on their computer.

Feldon
500 Command not understood
Posts: 4
Joined: 2007-04-06 17:05

#11 Post by Feldon » 2007-09-22 13:41

lol...

do it because it makes people feel warm and fuzzy botg.

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

#12 Post by botg » 2007-09-22 13:44

Feldon wrote:lol...

do it because it makes people feel warm and fuzzy botg.
Sure, I'll implement a Quad-ROT13 encryption scheme.

Or I'll just add a "Looking into this file is disallowed.txt", if someone still opens the XML files they'll get hit by the full power of the DMCA or so :P

Manhim
500 Command not understood
Posts: 5
Joined: 2007-09-22 06:08

#13 Post by Manhim » 2007-09-23 08:53

My brother already had a virus that simply upload all his computer's files. A scanner would try to find all passwords/cd-keys with some keywords looking at all files and registeries. So having a protected password would protect users from this.

BTW, is there any ways to have the passwords never saved? Cause I'm not the only user on my computer and I don't like when my brother's friends look into my private things (Like business secrets...)

User avatar
jaycent
503 Bad sequence of commands
Posts: 20
Joined: 2007-09-19 20:08

#14 Post by jaycent » 2007-09-23 18:08

Alright, well it is obvious you could care less about security. Why you support FTPS, SFTP is beyond me when you don't encrypt the local file. It is arguably easier to get your password on your local machine than it would be in the middle of a transmission over the internet or network. Anyone that has just physical access to the machine could get it (this means the janitor can get the password off my machine).

It is obvious the target audience for FileZilla is not corporations or home users concerned with security. If that's that, then fine. I am just trying to help you understand how it works. If you want to stay ignorant or on your high pedestal of arrogance, then that is your choice. I want to continue to use FileZilla, I could even help donate to get the encryption scheme written. But, with you're attitude, I don't even know if I would trust it if you did implement it.

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

#15 Post by botg » 2007-09-23 18:27

jaycent wrote:Anyone that has just physical access to the machine could get it (this means the janitor can get the password off my machine).
Encrypt your disks.

Post Reply