3
2
Filezilla or WinSCP save password in plain text which is unsecured on public machines. Is there any FTP client can save and encrypt password so that people using it only can access to FTP but not able to see password? Thanks!
Stan
Posted 2010-01-23T04:27:04.340
Reputation: 6 535
5
Eventually ends up by using WinSCP which encrypt (or hash?) password and save in registry. So it's not easy to see plain text pwd.
Stan
Posted 2010-01-23T04:27:04.340
Reputation: 6 535
Read about Security of Credentials and Master Password in WinSCP documentation.
– Martin Prikryl – 2015-01-29T07:26:49.4601Note: Master Password option is not enabled by default, after enabling it only it will encrypt password securely. – Morbia – 2012-02-17T09:53:12.123
1
FileZilla developers said that OS should secure passwords for you , but what if someone got acces to your PC (direct acces , without hacking , just sitting in your chair) and looks at your passwords in that SiteManager's XML ?
Wrong
Posted 2010-01-23T04:27:04.340
Reputation: 11
1The password is not stored in plain text. – Ramhound – 2011-10-12T19:29:49.810
2Password IS stored in plain text (FileZilla case). If you use FileZilla , look into your C:\Users\your_username\AppData\Roaming\FileZilla\sitemanager.xml file and see how your passwords are stored. – Wrong – 2011-11-20T01:51:30.863
1
If you can use the password, you can decrypt it as well, by using the same algorithm as the program uses. Even if you do not know the algorithm, you still can sniff the plain-text authentication using Wireshark.
user1686
Posted 2010-01-23T04:27:04.340
Reputation: 283 655
1
WinSCP does not save passwords in plain text.
Though obviously it can only "obfuscate" the password. It is not possible to securely encrypt passwords in a way that still allows for automatic use.
Read about security of credentials.
For better security, you can enable password encryption using master password.
Martin Prikryl
Posted 2010-01-23T04:27:04.340
Reputation: 13 764
1
Cyberduck for Windows stores passwords (Wiki) encrypted using the System.Security.Cryptography.DataProtector API.
David Kocher
Posted 2010-01-23T04:27:04.340
Reputation: 312
0
If you're connecting via FileZilla's Site Manager, there's an option below the password field to prevent saving the password.
If you use Quickconnect, the password is saved encrypted in the XML file, and you can click the drop-down menu on the right and clear the history. Then the password will not be stored in the XML file.
Where is the evidence that FileZilla saves plaintext passwords?
Assuming you don't clear and empty the history, the password is only saved if you have this setting in the filezilla.xml file:
<Item name="Last Server dont save pass" type="numeric">0</Item>
This is in the FileZilla installation directory, normally under Program Files, but if you can edit the file and change the setting to 0, the last-used site's password won't be saved at all.
njd
Posted 2010-01-23T04:27:04.340
Reputation: 9 743
Thanks. However, when having tens of site in Site Manager, I definitely don't want to memorize all pwds. I am just looking for a FTP client that can encrypt saved pwd to prevent from others easily seeing the pwd in plain text configuration files. That's it.
WinSCP use a master pwd to guard all saved pwd in Site Manager. However, is there any other client can even do encryption with out a master pwd? – Stan – 2010-01-23T20:12:11.923
I had a look at Filezilla's bug tracker and there has been a lot of argument about this. The Filezilla coders argue that there's no point as your OS should guard all your passwords for you. Encrypting them once your machine has a keylogger installed makes no difference. http://is.gd/6RdTl
– Iain – 2010-01-23T08:09:19.520