[Security] Passwords saved as plain text

[greg_grossmeier]

Originally reported on Launchpad.net:
 https://launchpad.net/bugs/202114

(sections are individual comments)
============

Passwords saved as plain text in ~/.filezilla/sitemanager.xml for fielzilla 3.0.0-0ubuntu1 on gutsy.

Password should be stored encrypted so that it is more protected to abuse.

============

The .filezilla directory itself is mode 700, so no one can read the plaintext passwords. That said, it would be a good idea for filezilla to use the Gnome Keyring instead of storing plain text passwords.

============

Confirmed on Hardy (filezilla 3.0.7.1-0ubuntu2)

[codesquid]

This is by design, it is the task of the operating system to protect the user's files. Just encrypt your home directory.

[madmuffin]

encrypting the home directory will solve the problem.

if the computer gets hijacked, passwords should still be hard to acquire. optionally supporting gnome keyring, kwallet or osx's keychain would be the easiest solution for Linux/Mac.

[madmuffin]

first line in last post should be "encrypting the home directory will NOT solve the problem."

sorry for self-replying

[CrouZ]

I agree that it is the OS's task to protect the users' files, but I estimate that this feature will be added to Windows no earlier than the year 2167 and I don't like having all my passwords exposed until then.

How about something similar to Firefox's Master password?

[PieterDeBruijn]

Passwords should never be plain text, but it's not a bug, it's a feature request. Even with an encrypted homedir, you have no protection for programs the running on system, them containing bugs (cascading/escalating security issue).

The Firefox solution is a patch which is not integrated with the desktop.

KWallet is meant to be used exactly for this purpose, so enable it.

+1 for a KWallet integration.