You are here

Filezilla recent account password in plain text

5 posts / 0 new
Last post
chaosschorsch
Offline
Last seen: 10 years 4 weeks ago
Joined: 2008-09-27 12:42
Filezilla recent account password in plain text

Dear developers,

is it really necessary to store even passwords in plain text format in the file
"drive":\winPenPack\Bin\FileZilla\Data\settings\filezilla.xml
??
I'm using Filezilla portable version 3.1.1, but as this topic is not addressed in the change log, I suppose v 3.1.2 handles pws the same way.
I think that's pretty unsafe, isn't it?

Regards
chaosschorsch

LOGAN-Portable
LOGAN-Portable's picture
Offline
Last seen: 11 years 10 months ago
Developer
Joined: 2007-09-11 12:24
I personally have discussed

I personally have discussed it with the FileZilla developers when v3 came out. They didn't think it was necessary anymore and I tried to talk them out of it but had no luck. Their reasoning was somewhat understandable; the passwords were stored in a format that obscuviated them but was easily broken. When someone that has access to FileZilla there's nothing stopping them from accessing the web space, copy the password file or whole app and use it elsewhere. So this is (also in my opinion) a shortcoming to this otherwise great application. But it would have been more usefull to encrypt the passwords and have a 'master' password.

I did the following, I made a small truecrypt container that has the FileZilla portable inside the container and a special launcher that asks for a password for the encryption. Downside is that it needs Admin rights but the positive side is the passwords are protected.

On a closing note I like to let you know that PortableApps.com doesn't make the applications themselves, they only provide the means to use the applications from removable media like an USB flash drive. So keep in mind that any problems related to any application's functionality is something that should be addressed to the developers of the application itself. The developers you find here are only responsible for the portability of the applications by means of creating a launcher.

I hope this explanation will provide helpful. And as it stands, I still agree with the problem to have passwords stored in an unencrypted form although, as mentioned, it would not protect you from someone else using the password file with the application itself if they got access to your FileZilla. Please refer your concerns to the official FileZilla developers.

Steve Lamerton
Steve Lamerton's picture
Offline
Last seen: 11 years 2 months ago
Developer
Joined: 2005-12-10 15:22
It is

worth noting my thoughts here, as a developer of an encryption app.

When it comes to passwords I chose to store none in my app, becuase as mentioned above however you obfuscate it, because we are open source, someone could take a look in the source and then reverse it. It is for this reason that I personally would recommend not storing any of you passwords anywhere if you can possibly avoid it.

LOGANs choice is a good one, by keeping saved passwords in a volume you reduce the number you need to remember, but also the size of the reward if your one password was broken. Another way of doing this would be to use KeyPass to remember them and then input them when you are asked.

There is not really an ideal solution to this problem, but hopefully I have shed a little light onto why!

EDIT: Master passwords are another option, it simply moves the password barrier from KeyPass to your app, personally I would trust the encryption of KeyPass more than whatever the app writer has implemented, but it is effectivly the same solution, just moved slightly.

chaosschorsch
Offline
Last seen: 10 years 4 weeks ago
Joined: 2008-09-27 12:42
my decision based on your comments

Thanks for all the detailed and valuable comments. I do not use Filezilla for FTP transfers on my PC, so I was not aware of the fact that the non-portable version of Filezilla introduced the kind of pwd storage.

IMHO, un-encrypted pwds are more dangerous on my USB drive than on my hard disk, because I frequently use the USB drive in highly unsafe environments like internet shops. Even if I would not use Filezilla there, someone could read the account details from my USB drive harnessing "evil" software.

Taking into account your concerns, I have decided not to use the server manager any longer but to store account information on my mobile phone within a "password-protected safe".

Thanks again,
chaosschorsch

m-p-3
m-p-3's picture
Offline
Last seen: 7 months 1 week ago
Joined: 2006-06-17 21:25
To add some misc. info

Pidgin does save the passwords in plain-text too.

Anyway, I use Toucan to secure those "sensitive files" so it act like a master password for my USB thumbdrive without requiring admin rights to proceed.

Log in or register to post comments