Filezilla Password File

[halfbrazilian]

I have been using Filezilla as a SFTP client for about a year now. I just discovered two things about Filezilla that made me angry. Number 1, Filezilla stores previous sessions under the quick connect button. All someone has to do to connect to your files is go onto a computer that you used Filezilla on, and click on the arrow next to the quick connect button and click your username. This can be done from any user on the client system. Number 2, not only does filezilla save my password without asking if I would like it saved first, it stores the password as plain text in a file. Honestly, both of these items are security risks that should be taken out of the software. For now, how does one go about keeping filezilla from saving sessions and passwords altogether by default. I mean, I would like if it stored the public key of the server in order to prevent man-in-the-middle attacks but I do not want it storing my passwords. I should have to type my password every time in order to log in to a session.

[boco]

Use the file fzdefaults.xml to switch Filezilla into kiosk mode. It will then refuse to store any passwords. A sample file called fzdefaults.xml.example (with instructions inside) is in the docs subdirectory.

The plaintext passwords won't be changed. Search the forums why obfuscation wouldn't work. The OS is responsible for restricting access to your Filezilla configurations.

[onetimeonly]

Kiosk mode seems like a good solution.

It shouldn't be necessary to jump through all kinds of hoops to even discover that kiosk mode exists. No software should ever store passwords silently, without asking. If it asks, that's a hint to the administrator that something has to be turned off. It'a a flaw in other software that they store passwords, but at least most of them signal you that they're doing it.

I agree that storing passwords in plaintext is a reasonable practice if you need to be be able to retrieve them. However, other than a password locker sort of program, I'm not convinced that any software needs to be able to retrieve passwords. Your huge gaping security hole is not storing passwords in plaintext. It is saving them at all.

I've converted our installations to kiosk mode. My users are used to Filezilla, so I'm not getting rid of it right away. However, I'm now actively looking for an alternative. I've always thought that Filezilla was an excellent program. I'm not so convinced now.

[sgoggins]

Well, as unsecure as this feature is, it just *saved* me from a forgotten password! (And i only use Filezilla on a laptop I maintain physical control over)

Sean

[maathieu]

Still wondering why in 2010 it is so hard to implement a Master Password policy, just as Firefox or Thunderbird do. Encryption then cannot be broken unless you know the Master Password, which should NOT be stored anywhere.

Talking about this issue: the name "Filezilla" makes many users think that it is somehow related to the Mozilla project (Firefox, Thunderbird), thus letting users believe that all those applications follow the same coding practices and offer the same security. However it is not the case as Filezilla stores passwords in plain text. If there is no advancement on this subject, some users may get in touch with the Mozilla foundation and ask them what they think about it.

Cheers,

maathieu

[botg]

Open Explorer, go to %APPDATA%. Right-click the FileZilla item and chose properties. In there, enable encryption. Your Windows password is now your master password. You enter it when you log into Windows.

[boco]

Just a small addendum concerning Windows:

• Windows XP Home
• Windows Vista Starter, Home Basic, Home Premium
• Windows 7 Starter, Home Basic, Home Premium

The operating systems above do NOT support the procedure botg mentioned. If you have any of these OS', you need to use 3rd party solutions (Truecrypt). Thank Microsoft for providing software with crippled security.