3

I use Firefox plugin FireFTP which stores FTP credentials in encrypted files. Sublime plugin FTPSync seems to store FTP credentials in a regular file. Does that make it unsafe to use?

drake035
  • 453
  • 1
  • 4
  • 11

2 Answers2

3

In general, FTP isn't that safe to use. It is way to easy for hackers to hack into your server, and then they can delete your files, change them, and/or steal them. They could even get information to access your database too! I recommend that you turn off FTP on your server right away.

Instead, try using a program like Winscp. You can use SFTP, which stands for Secure File Transfer Protcol. Then you can transfer your data between you and your server through an encrypted connect.

UnderMyWheel
  • 351
  • 1
  • 13
  • That's a bit misleading. You forgot to mention the alternative (SFTP, SSH or perhaps something else) and also WinSCP works with FTP as well and it's not an alternative to FTP, it's just a way to use FTP or any other supported protocols. It's just a client software (very good one, but nonetheless it's not an answer). The main problem with FTP is that it sends passwords and logins in raw, unencrypted format. But switching to SFTP wouldn't help defending the raw login and password that are stored in the plugin's settings. I'm afraid this answer has little to do with the actual problem. – Dmitriy Gamolin Nov 26 '16 at 19:58
  • @DmitriyDemir I use WinSCP and I have FTP off on the server. Using SFTP, the information is transferred over an encrypted connection. – UnderMyWheel Nov 26 '16 at 22:11
  • Oh, well, after all the question was about whether this plugin is secure and not how to make it secure. And yeah, it doesn't work with SFTP so that's an extra point against using it. – Dmitriy Gamolin Nov 27 '16 at 02:18
  • 2
    The plugin is unsafe because it is sending everything through FTP which is known for being hacked by hackers. That why I recommended that he turns off FTP on the server, and using something like Winscp while transferring with SFTP. – UnderMyWheel Nov 27 '16 at 06:46
  • Yeah, got it, just wanted to clear things out a little :) – Dmitriy Gamolin Nov 27 '16 at 11:05
1

Unfortunately I can't just post a comment to your question, because I don't have enough reputation yet. But since there's such a lack of activity on this topic (I'm researching this topic at the moment and discussions on it seem to be rare), I'll add my speculations as an answer...

Indeed it's risky to store your passwords in plain text. However, the risk here is only if someone can get access to these files, which could be a hard task if you spend enough time on your PC's security (using a firewall, GNU/Linux OS, encrypting your hard drive, don't forget to lock your session whenever you leave your computer, have strong passwords etc.). As long as you aren't involved in "big projects" and have just a couple of credentials stored there and you take care of other security aspects, I guess, the risk is relatively low. But personally I would either search for a more secure solution or find a way to encrypt these files. Unfortunately I'm also searching for either of these options right now, so I can't give any specific recommendations on that.

Another option would be to set passwords to null, that way you'd have to manually enter them whenever you connect to the server (the plugin will request them).

Dmitriy Gamolin
  • 111
  • 3