Filezilla password plaintext disaster

[BigBang]

Hi

Im a freelancer and get the money for my familly with this job.

There is about 50 costumer who trust on me and on my services.
They pay me for security and support.

The day come as all my costumers call me and tell they was hacked!
My world was going down. And i dindt understand what happend.
Why alle my costumers on different servers with different Systems hacked
on them i didnt conntect since years?

Google help me and i was really shocked about. Filezilla, one of the "best" FTP programm
made me this gift. Thank you.

I got a Trojan on my system, shit happens, this trojan send all my data stored
on plaintext by Filezilla.

Im ok with "this is not the Job of Filezilla to keep Trojans out" but
getting ALL MY COSTUMERS ACCESS DATA cause Filezilla dont encypt the passwort
you think ist ok?

Other FTP programms DOES encrypt!

I am working now since 3 days without sleep to save my costumer reputation
and put the sites online one by one. My poor daughter she dont understand what happend with daddy.

Do the developper knows how many sites get hacket just why they dont change mind?

It is so hard to encrypt the passwords? Windows isnt save everybody know it.
A second security barrier is needed with this kind of sensitive data.

I work behind Hardware Firewall, actual Antivirus Avast 7. Firefox updated, Windwos7 updated.
Nothing helped me to prevent this one.

I found out there is a lot of professional who write: "do not use Filezilla"
Google: Filezilla passwords plaintext / Filezilla trojan

If some admin delete my statement, i will find +10 blogs to post it, its a promise.

[xeon]

They pay me for security and support.

I got a Trojan on my system

Are you sure you're in the right line of work?

[botg]

If you've got a trojan on your computer, no amount of password obfuscation will help.

Instead, you need to prevent the infection in the first place.

[beededea]

The last two responses to this admittedly old post are appalling. The poor chap is stating his personal disaster caused by using an inadequate tool that should not be used on Windows. Do you really feel it appropriate to offer curt and sarcastic messages in response to a genuine plea for acknowledgement?

Some o/s provide decent security but we all know Windows in some flavours does not. Filezilla has inadequate security for Windows, storing its passwords in plain text in an unsecured area - and therefore either Filezilla or this functionality should therefore not be offered on this platform. If filezilla continues to be offered for windows then big warning signs should be displayed on the quick connect and other configuration options that state "Filezilla will store your passwords in plain text, enable or disable?"

My suggestion is that any windows users drop filezilla like a hot cake now! Use an open source tool like WINscp that has protection to password data using encryption and a master password. Remember all sensitive information stored on a computer must be encrypted and all steps taken to ensure protection against keyloggers, trojans &c.

I think the general response to this sort of problem on the filezilla forums is inappropriate and tantamount to trolling poor unsuspecting users of the filezilla client.

[botg]

You can already disable saving of passwords in the settings dialog of FileZilla.

[boco]

The problem is not that Windows is insecure (modern versions offer decent security). The real problem is that it is configured in an insecure manner by default, and many users don't know or care to turn it on. Security and convenience are mutually exclusive, you always give up some of one to get some of the other.

[beededea]

You can already disable saving of passwords in the settings dialog of FileZilla.

Thank goodness for that - it took a long time for that one to sink in, I noted the previous arguments and rants in the various posts on this subject and in disgust to the main devs responses, I gave up using Filezilla client a while back.

The problems that occurred due to "the plain text disaster" are those that you discover only after you have been hacked and it is not much good to find out after the event... My machine was well protected (malwarebytes, avast, clamwin, sygate) and I am a sys. admin. going back many years so I know my stuff, still a trojan infected my PC through a fake Adobe update. Four passwords were trawled from filezilla within an instant even though I shut the system down within seconds of the infection occurring. Had I known that filezilla stored plain text passwords I would have taken steps to secure the data but I didn't know about filezilla's peculiarities/vulnerabilities, nor did the poor chap above. You could almost think of filezilla as a trojan in itself planting a back door way in for anyone to exploit! Sabotage for windows... that's a good name for the product.

As a result I now use WinSCP, no looking back, once bitten, twice shy. However, I still use and recommend filezilla server and aim to contribute positively to the project if I can.