Hide password File ?
Moderator: Project members
-
- 500 Command not understood
- Posts: 1
- Joined: 2012-02-16 14:20
- First name: Jeff
- Last name: Mack
Hide password File ?
Hey guys,
SO I have been using Filezilla for a long time. BUT I also had my websites hacked a couple times, and after some vigorous work , I found out that my computer was infected and the virus was able to get my Filezilla password file. So My question sis this, is there a way to either hide or encrypt the Filezilla password file ?
Thanks
SO I have been using Filezilla for a long time. BUT I also had my websites hacked a couple times, and after some vigorous work , I found out that my computer was infected and the virus was able to get my Filezilla password file. So My question sis this, is there a way to either hide or encrypt the Filezilla password file ?
Thanks
<Signature removed due to violation of forum rules (no promotion/advertising)>
Re: Hide password File ?
Encrypt your user home directory.
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
Re: Hide password File ?
You can disable saving of passwords in the settings dialog of FileZilla.
Re: Hide password File ?
And how exactly does that help? My understanding of how an encrypted home directory works (atleast it does with something like TrueCrypt) is that the encrypted volume is mounted while the computer is on and the user is logged in. This means your sitemanager.xml file is decrypted on the fly for any application that requests it and so no protection is provided. The encrypted home directory only helps when the volume is unmounted.boco wrote:Encrypt your user home directory.
Thankfully, the project is open source and I have been able to modify it to suit my own needs.
Re: Hide password File ?
Yes, exactly. You are expected to log off or lock when you walk away.My understanding of how an encrypted home directory works (atleast it does with something like TrueCrypt) is that the encrypted volume is mounted while the computer is on and the user is logged in.
Encrypting the home directory doesn't work against malware running in your user context. But neither does obfuscation.
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
Re: Hide password File ?
Locking the front door to my house doesn't protect me against the competent thief who knows how to pick the lock but that doesn't mean I am going to start leaving my door unlocked so that anyone can get in. Same thing applies here. Just because someone can write specialized malware that knows to wait for me to enter my master password so it can read my passwords from RAM, doesn't mean that I want to make it easy for them by leaving them in a plaintext file on my hard drive.boco wrote:Encrypting the home directory doesn't work against malware running in your user context. But neither does obfuscation.
Re: Hide password File ?
You're using the wrong analogy.
Correct one: If the thief is already in your house, locking the front door does nothing.
Correct one: If the thief is already in your house, locking the front door does nothing.
Re: Hide password File ?
I figured you would come back with that...
Ok, so how about storing my valuables in a locked safe in my house instead of an unlocked safe?
Ok, so how about storing my valuables in a locked safe in my house instead of an unlocked safe?
Re: Hide password File ?
Same thing, is the thief is already in your safe...
If there's malware already on your computer, you've lost already. Your system has been compromised at that point.
However if your system is secure, you can use nuclear missile launch codes as desktop background.
If there's malware already on your computer, you've lost already. Your system has been compromised at that point.
However if your system is secure, you can use nuclear missile launch codes as desktop background.
-
- 500 Command not understood
- Posts: 5
- Joined: 2008-08-27 08:09
- First name: William
- Last name: P
Re: Hide password File ?
Has anyone had experience with this one? I have... I'm switching!
http://www.couchcms.com/forum/viewtopic.php?f=4&t=6923
http://www.couchcms.com/forum/viewtopic.php?f=4&t=6923
Re: Hide password File ?
That's your good right. If you think security through obscurity is good enough for you, then bye.
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
-
- 500 Command not understood
- Posts: 5
- Joined: 2008-08-27 08:09
- First name: William
- Last name: P
Re: Hide password File ?
Let's not talk about "rights"
Don't you agree that keeping this kind of information in a plain text file is a bit too easy?
Even with a descent AV there's no guarantee to stay clean, so what would you suggest?
Not saving credentials?
ps, I chose to switch but I didn't like that at all since I liked FZ a lot ... !!!
That's why I was really surprised to discover this, I'd have guessed that our data was protected, anyway, hope to use FZ again soon...
Don't you agree that keeping this kind of information in a plain text file is a bit too easy?
Even with a descent AV there's no guarantee to stay clean, so what would you suggest?
Not saving credentials?
ps, I chose to switch but I didn't like that at all since I liked FZ a lot ... !!!
That's why I was really surprised to discover this, I'd have guessed that our data was protected, anyway, hope to use FZ again soon...
Re: Hide password File ?
Define ''easy''. Any attempt to obfuscate password information will be countered by malware writers without any problems. Since FileZilla is Open Source, it is not even possible to keep anything secret in the code (the kind of ''hiding game'' some commercial closed source apps play).Don't you agree that keeping this kind of information in a plain text file is a bit too easy?
A decent AV (if such a thing even exists) is not an excuse to feel safe. Many people rely on AVs, firewalls and similar stuff, and then wonder why they get burned. The biggest security problem is in front of the screen!Even with a descent AV there's no guarantee to stay clean, so what would you suggest?
Yes. I run kiosk mode 1 for years now. Maybe you can use a dedicated software like KeePass (Open Source, that one has strong encryption) if that gives you a warm and fuzzy feeling. KeePass can even auto-enter the information into the FileZilla dialogs IIRC.Not saving credentials?
Only you can protect your data. No software can guarantee data safety, no matter what they tell you.I'd have guessed that our data was protected, anyway, hope to use FZ again soon...
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
Re: Hide password File ?
Hi guys,
before I start... I'm new to this forum. FZ is (still) my favourite FTP client. I'm a professional software developer (mainly C/C++) and consider myself as an "experienced" user
Let me tell you what I'm thinking about this issue:
Some thoughts about this:
On Linux system, I see no need at all for password encryption. Via file and directory permissions it is easy to protect data from other users' courious looks
And Linux users usually "know what they are doing".
Recently I've read a tutorial about setting up a mail server on Linux. Even in some server configuration files, database passwords are stored in plain text. But where is the problem if only root can access them
However, let's talk about Windows:
My experience is that most Windows users don't really know what they are doing (although they often think so...).
I agree in that point, that if my PC gets infected with malware, I'm already in big trouble. So, MY first reaction would be to reinstall the OS and change my internet passwords. But several times I've seen PCs which were infected by malware whose owners didn't even KNOW about that. And let's be honest: the risk to get infected is still a lot higher for Windows systems than for Linux systems.
Unfortunately there seems to be a Windows malware which reads FZ's FTP credentials which are stored in Plain Text and uses them to infect web sites to spread around the internet. So you see It is really happening!!! Of course, password encryption (via Windows CryptoAPI, e.g.) without an additional user-defined key or entropy doesn't really solve that problem, because it's possible to write malware capable of decrypting the credentials. But this is still harder than just writing a little piece of software that parses the XML file. I understand that password encryption requiring user-defined information is not desirable for some users who expect it to work out of the box, however this would probably offer the security that some people want. That's a sort of dilemma
So what can be done? My suggestions:
1. "Save password" should be turned off by default.
2. If the user decides to save his passwords, he must be given a hint (maybe with a big red blinking exclamation mark ) that protection and security is his own responsibility (no matter if encryption is done or not).
3. Password encryption should be provided as an option.
This doesn't solve any of Windows's security flaws and it doesn't prevent an "average user's" PC to get infected by malware from time to time. This even happens to experienced users... But it might help to LIMIT THE DAMAGE caused by malware. This would be worth it. Think about this, dear developers. It is the least thing you can do to help the users.
But just saying things like "If your system gets infected, it is your own fault, don't bother me with that..." is, in my opinion, arrogant, ignorant and silly, considering of which "type" most Windows users are... with an attitude like this, you are helping the "bad guys"!
Dear developer(s), I'm not going to keep bothering you with that issue. But I'm seriously thinking about contributing some code concerning password encryption (or maybe I'll build my own FZ version. It is open source, so why not...).
Regards
before I start... I'm new to this forum. FZ is (still) my favourite FTP client. I'm a professional software developer (mainly C/C++) and consider myself as an "experienced" user
Let me tell you what I'm thinking about this issue:
Agree. It is the user's own responsibility to care about security of his data.Only you can protect your data. No software can guarantee data safety, no matter what they tell you.
Agree also in that point. On a secure system the user's data are protected from other users or "evil software".However if your system is secure, you can use nuclear missile launch codes as desktop background.
Some thoughts about this:
On Linux system, I see no need at all for password encryption. Via file and directory permissions it is easy to protect data from other users' courious looks
And Linux users usually "know what they are doing".
Recently I've read a tutorial about setting up a mail server on Linux. Even in some server configuration files, database passwords are stored in plain text. But where is the problem if only root can access them
However, let's talk about Windows:
My experience is that most Windows users don't really know what they are doing (although they often think so...).
I agree in that point, that if my PC gets infected with malware, I'm already in big trouble. So, MY first reaction would be to reinstall the OS and change my internet passwords. But several times I've seen PCs which were infected by malware whose owners didn't even KNOW about that. And let's be honest: the risk to get infected is still a lot higher for Windows systems than for Linux systems.
Unfortunately there seems to be a Windows malware which reads FZ's FTP credentials which are stored in Plain Text and uses them to infect web sites to spread around the internet. So you see It is really happening!!! Of course, password encryption (via Windows CryptoAPI, e.g.) without an additional user-defined key or entropy doesn't really solve that problem, because it's possible to write malware capable of decrypting the credentials. But this is still harder than just writing a little piece of software that parses the XML file. I understand that password encryption requiring user-defined information is not desirable for some users who expect it to work out of the box, however this would probably offer the security that some people want. That's a sort of dilemma
So what can be done? My suggestions:
1. "Save password" should be turned off by default.
2. If the user decides to save his passwords, he must be given a hint (maybe with a big red blinking exclamation mark ) that protection and security is his own responsibility (no matter if encryption is done or not).
3. Password encryption should be provided as an option.
This doesn't solve any of Windows's security flaws and it doesn't prevent an "average user's" PC to get infected by malware from time to time. This even happens to experienced users... But it might help to LIMIT THE DAMAGE caused by malware. This would be worth it. Think about this, dear developers. It is the least thing you can do to help the users.
But just saying things like "If your system gets infected, it is your own fault, don't bother me with that..." is, in my opinion, arrogant, ignorant and silly, considering of which "type" most Windows users are... with an attitude like this, you are helping the "bad guys"!
Dear developer(s), I'm not going to keep bothering you with that issue. But I'm seriously thinking about contributing some code concerning password encryption (or maybe I'll build my own FZ version. It is open source, so why not...).
Regards
Re: Hide password File ?
What do you mean?