#1373 closed Feature request (rejected)
[Security] Passwords saved as plain text
| Reported by: | greg_grossmeier | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | FileZilla Client |
| Keywords: | Cc: | greg_grossmeier, Tim Kosse, beni.mail@… | |
| Component version: | Operating system type: | ||
| Operating system version: |
Description
Originally reported on Launchpad.net:
https://launchpad.net/bugs/202114
(sections are individual comments)
============
Passwords saved as plain text in ~/.filezilla/sitemanager.xml for fielzilla 3.0.0-0ubuntu1 on gutsy.
Password should be stored encrypted so that it is more protected to abuse.
============
The .filezilla directory itself is mode 700, so no one can read the plaintext passwords. That said, it would be a good idea for filezilla to use the Gnome Keyring instead of storing plain text passwords.
============
Confirmed on Hardy (filezilla 3.0.7.1-0ubuntu2)
Attachments (1)
Change History (9)
comment:1 by , 17 years ago
comment:2 by , 15 years ago
| Status: | closed → reopened |
|---|
encrypting the home directory will solve the problem.
if the computer gets hijacked, passwords should still be hard to acquire. optionally supporting gnome keyring, kwallet or osx's keychain would be the easiest solution for Linux/Mac.
comment:3 by , 15 years ago
first line in last post should be "encrypting the home directory will NOT solve the problem."
sorry for self-replying
comment:4 by , 15 years ago
I agree that it is the OS's task to protect the users' files, but I estimate that this feature will be added to Windows no earlier than the year 2167 and I don't like having all my passwords exposed until then.
How about something similar to Firefox's Master password?
comment:5 by , 15 years ago
| Type: | Bug report → Feature request |
|---|
Passwords should never be plain text, but it's not a bug, it's a feature request. Even with an encrypted homedir, you have no protection for programs the running on system, them containing bugs (cascading/escalating security issue).
The Firefox solution is a patch which is not integrated with the desktop.
KWallet is meant to be used exactly for this purpose, so enable it.
+1 for a KWallet integration.
comment:6 by , 15 years ago
i recently got a virus on my machine (despite an up to date avg ) .... why im posting here is to report that immediately after the virus, all but one of the websites that i had in my filezilla site manager got hacked, despite the fact that some of the sites reside on different servers. For me this is proof that the virus targeted the xml file and stole my passwords to hack the sites. I had come to this conclusion before i found this page; in fact i went looking for other people with the same experience. I think this is a living colour example of why the filezilla passwords file needs to be encrypted. Luckily i only had about 20 sites hacked, but i can imagine the some designers might have many times that. I most certainly will not be using filezilla again unless i hear that this is changed, and i will be warning any designers i know to beware of viruses getting your ftp database stores ( despite the fact that i've used the program for many years )
comment:7 by , 15 years ago
| Resolution: | → rejected |
|---|---|
| Status: | reopened → closed |
Once you've got malware on your computer, you've lost already, game over. You need to prevent the infection in the first place.
comment:8 by , 11 years ago
| Cc: | added |
|---|
I suggest using KeepassX or a similar password management application. Configuration like FTP address and user name can still be managed in Filezilla but passwords copied from KeepassX only when they are needed.
This is by design, it is the task of the operating system to protect the user's files. Just encrypt your home directory.