Opened 16 years ago

Closed 7 years ago

Last modified 7 years ago

#2935 closed Feature request (fixed)

Support for optional Master Password for sitemanager.xml

Reported by: arireads Owned by:
Priority: high Component: FileZilla Client
Keywords: security master password Cc: arireads, Alexander Schuch, Andrew Markinson, okkie, gnoise@…, JinxDojo@…
Component version: Operating system type: Windows
Operating system version: Windows Vista Ultimate

Description (last modified by Tim Kosse)

This is a request for Filezilla 3 to support a "Master Password" to lock either the sitemanager info (simpler to implement I think) or the edit of sitemanager entries (this would be more similar to firefox 3, but I think I'd like the first option best)

I know this one is tough to implement, but many filezilla users need this. This "a la firefox" level of security, even if simple and low, suits very well the average Desktop user.

Thus, if "Master Password" is enabled, before connecting to site, the user will be prompted the Master Password.

The sitemanager.xml file would be encrypted with AES256 or something like that using the master password.

This would eliminate one of the most common users' concern about filezilla. Obviously not a perfect solution, but in my view would enough for the desktop.

I've heard Tim suggesting users to:

a) encrypt the home partition
b) don't do anything and trust the sysadmin or root user.

While I understand what Tim suggests, I don't think it helps the average desktop user, who doesn't understand what either a) or b) mean.

I think the proposed solution would help here.

In any case, grateful to have filezilla running in my linux desktop box.

Change History (62)

comment:1 by Alexander Schuch, 16 years ago

This item most likely will be closed with the usual reason - the one you already mentioned. But for now, I leave this open.

If you need Site Manager items which are not editable, have a look at "fzdefaults.xml.example" which comes with your FileZilla installation. Using predefined sites, you can accomplish something like that.

comment:2 by Andrew Markinson, 15 years ago

I think this is a major security issue which cannot be dismissed with a simple "blame it on the operating system". I mean, you probably (hopefully) protect your private SSH and PGP/GPG keys with a passphrase, don't you?

Actually, even if you trust root (which you normally do) *and* encrypt your home directory, this doesn't solve the problem: Once you are logged in, any data in your home directory is decrypted on read access. This means that the FileZilla passwords are readable to any application that you start including malware that you caught by browsing some or other website. And in no time at all, "all your FTP accounts are belong to us".

comment:3 by Tim Kosse, 15 years ago

Suppose there were a master password. You catch some malware and the next time you start FileZilla and enter your password, the malware knows it and does its thing with your stored site data.

It just makes no difference at all, an attacker does not care if he gets your site data now or just the next time you decrypt your data. He'll eventually get your data, that's all he cares about.

Instead, you need to protect yourself against an infection with malware.

comment:4 by Andrew Markinson, 15 years ago

Suppose there were malware protection (anti-virus etc). You catch some still unknown malware that slips through the real-time scanner and it does its thing with your stored site data.

Of course you can always find a scenario in which all your security measures get circumvented. But this is no excuse for not having private data protected by the application itself.

You always need several lines of defense. Encrypted file systems, encrypted application data and malware protection go hand in hand. They are not mutually exclusive.

I'm a bit irritated by the persistency with which encrypting sitemanager.xml (and recentservers.xml as well for that matter) is rejected here. Shouldn't be too hard to implement. Someone I pointed to Tim's "suggestions" just replied: "Goodbye FileZilla?". Well ...

comment:5 by Tim Kosse, 15 years ago

Status: newmoreinfo

Like I said in my previous post. You catch some malware unnoticed. You enter your master password to use FileZilla. The malware then knows your password and does its thing with your site data.

So where exactly did you get any security gain through the use of a master password?

comment:6 by Andrew Markinson, 15 years ago

Status: moreinfonew

As I said, there's always a way of getting around things if you try hard enough.

Of course, if someone comes with baseball bat methods like a key logger or a root kit or a federal trojan unnoticed and it intercepts your keyboard input a master password doesn't help. But it helps against simple unauthorized reading of your plaintext private data. Just like storing login passwords in a htpasswd file as MD5/SHA1 hashes or encrypting SSH private keys with a passphrase.

comment:7 by Andrew Markinson, 15 years ago

Cc: Andrew Markinson added

I switched to FireFTP, an add-on for the Firefox browser (https://addons.mozilla.org/de/firefox/addon/684). It also supports SFTP and the passwords can be secured with a master password within Firefox.

Goodbye FileZilla!

comment:8 by Cardinal, 15 years ago

Yeah, it's a very big disadvange of so pretty programm - the lack of the master password form.
You can use some password manager, like Sticky Passwords, etc., to prevent mailware danger, so these arguments are invalid.

FileZilla have to get it!

comment:9 by okkie, 15 years ago

Keywords: security added
Priority: normalhigh
Summary: Support for optional Master Password for sitemanager.xmlSupport for optional Master Password for sitemanager.xml

FileZilla, please add this master password functionality!
If my laptop with all my FTP passwords gets stolen, I'm doomed!

comment:10 by okkie, 15 years ago

Cc: okkie added

comment:11 by okkie, 15 years ago

Will this option make it in the next version?
I tried FireFTP and will use that because it is safer, but the features of FileZilla are years ahead of FireFTP.

comment:12 by Redsandro, 14 years ago

This issue still isn't touched? One should trust the better judgement of the Opera team, Firefox team, Thunderbird etc.

A proper OS/user has an encrypted home dir? Why give a car wheels when a proper road should be a conveyor belt kinda thing. Not all roads are. Imagine you're staying at your uncle's for christmas, borrow his usb stick and download your sitemanager on it to use with your niece's laptop in order to do some quick ftp'ing or something random. Not everyone wants you to repartition their stuff. Sometimes you trust a computer or medium, but not the filesystem with traces of sitemanagers. Who knows where they end up.

Keyloggers also work on encrypted home dirs and you don't even need the sitemanager xml to come with.

Apart from this annoyance, FileZilla is awesome.

+cc

comment:13 by Tim Kosse, 14 years ago

Resolution: rejected
Status: newclosed

A piece of malware with a keylogger would simply sniff your master password and send it alongside the encrypted sitemanager data to the attacker. Protection gained: ZERO.

You people need to realize: If your machine got infected you've lost already.

comment:14 by Josef Sábl, 14 years ago

I registered just to vote for this must-have feature. Codesquid, you are so wrong! Read Redsandros comment again, he is absolutely correct.

My machine does not need to get infected. It is enough that I lose my flash drive with portable FileZilla on it.

By the way, I have portable Keepass and portable Firefox on the same flash drive. Both protected with master password. Ha ha, what idiots must Keepass and Firefox developers be that they have such a stupid feature in their product. It does not matter that I can use these applications perfectly.

Contrary, I am perfectly happy with FileZilla that is idealogistically so pure and it does not matter that I can't use it due to security concerns.

I keep babbling about one situation where master password does not help and you close your eyes to all those situations where it does help.

comment:15 by Tim Kosse, 14 years ago

So, simply encrypt your entire flash drive.

comment:16 by okkie, 14 years ago

Like Josef said, the master password is not about infected machines.
I need this password to prevent access to my websites when my PC is stolen.

But if you're not going to implement this, fine, its your decision.

comment:17 by Josef Sábl, 14 years ago

When I encrypt my flash drive it will not work everywhere where I need it to work.

I will put it more directly: in my situation the master password is the only way to make passwords safe. I will not try to explain all details to you as my situation might not be typical enough. It should be enough for you to see how many people fight for this feature (and this ticket is not the only one, is it?).

The only thing you do is to repeat that keylogger can steal your master password. Yes and what? We are not afraid of keyloggers.

You know, computer science is one thing and real life application is another. I am a bit disappointed to see such attitude here.

comment:18 by Josef Sábl, 14 years ago

comment:19 by okkie, 14 years ago

...maybe it is too difficult to do an AES encryption of sitemanager.xml in FileZilla?

comment:20 by Tim Kosse, 14 years ago

Other projects too opt to store the passwords in plaintext for a good reason: http://developer.pidgin.im/wiki/PlainTextPasswords

comment:21 by Redsandro, 14 years ago

Like mentioned in some previous comments, some huge projects also do choose for master password functionality - a choice happily used by a lot of users - which no biased article can refute. If I am allowed to broaden the market segment here to show similar choices made for big projects, you can either ridicule or embrace the fact that OpenOffice.org, MS Office etc. all support password protection for their documents which could also have been handled by home dir encryption.

The reason is obvious: You don't always have control over the filesystem! It's the same (for sitemanager.xml) with quick backups (bluetooth theftprone phone sync to take important files with you, anyone?), portability, traveling and being dependent on other people's equipment, using computers at university, old or otherwise slow (eg ARM) hardware that doesn't support or play nice with (home) encryption, (future) ports to devices that plain don't support encryption, accidental unattended left-open login to your homedir-unlocked account accessible to any lolstealer* not criminal or adept enough to actually install keyloggers (wich would be picked up by your AV anyway), unsecurity within a trusted wireless LAN because all EFS encrypted files get decrypted upon copy over the network, same for a (big) wired LAN where people can be listening just for fun like in a large student home, or any other reason why someone moves around between computers a lot.

*) The world is not so black and white, good or criminal. Among students, scholars or even family - a large portion of the users - you may find more people than you'd think that would want to have your passwords for unholy reasons which is way too easy when plain text (or 'obscured') password stores are used. You can have all home encryption in the world and the smallest mistake in your own house (going to the toilet in a hurry or just not paying attention) is enough. Even my 11 year old brother can write an autorun.inf and a bat/cmd to a USB stick that autocopies %AppData%/somedir/sitemanager.xml in a second.

I bet there's a huge amount of users who'd rather have master password functionality than, say, the past 50 official updates. With my respect to the contributors!

Yes I am annoyed by Pidgin for their view on this, too. I don't get that all active developers don't see how it would be an improvement.

in reply to:  20 ; comment:22 by Josef Sábl, 14 years ago

Replying to codesquid:

Other projects too opt to store the passwords in plain-text for a good reason: http://developer.pidgin.im/wiki/PlainTextPasswords

Yeah, I was waiting for you to mention Pidgin. I agree with you, I would change just one part: Other projects too opt to store the passwords in plain-text for same idiotic reason.

I personally can't use Pidgin for same reason I can't use FileZilla.

This is my last post, so I will just write one more thing. Your reasoning is same like saying: You should not use condom as it is not effective every time (This actually is position of Vatican, I believe. Arrogance and blindness, anyone?)

comment:23 by Redsandro, 14 years ago

Nice way to put it. But this is now a high priority closed feature request.

comment:24 by Stoob, 14 years ago

Because Filezilla is an open source project and the GNU Public license offers no warranty for the software, there is no incentive for the development team to make the password handling more secure.

Because it is free software, there are no considerations regarding marketing the product to a particular audience or pleasing the ignorant customer (saving them from themselves) to earn their referral and repeat business.

Although of course, you and I, as webmasters understand better. We know that 80% of people who use Filezilla software do not realize that using a "normal" login is insecure, nor do they bother check to see how Filezilla handles their passwords, nor even consider security as an issue. All of this is not Filezilla's problem, thanks to the GNU.

Even the simple task of changing "Normal" to "Normal (insecure)" to shine some light on the issue for the unwashed masses who naively use Filezilla improperly and insecurely is too much bother for Filezilla developers, bless their hearts.

Would a "master password" help the unwashed and ignorant masses secure their passwords? Maybe. Would it be a 100% solution? No of course not.

For a 100% solution they'd have to stop using Windows and switch to Linux AS WELL AS store all their passwords in an encrypted directory so that if their computer ever got physically stolen, they would be reasonable secure that the passwords would not be comprised.

But since not everyone is going to do that, and since "master passwords" would not be a 100% solution for the drooling barbarians out there on Windows XP, the Filezilla team can dismiss "master passwords" as an inadequate, ill informed, and unnecessary change with no consequence whatsoever (see the GNU, again).

Sure the Filezilla team bothered at some point to write some documentation on security...somewhere in some wiki...that very few people ever read...but that is not Filezilla's problem. Again, sheltered by the GNU there is no real incentive, other than personal pride and caretaker's mentality of the software one created, for a developer to communicate better or introduce new security features.

We can all have an academic discussion here in this bug tracker and nothing gets accomplished, because there is no REAL incentive to do so. Also, it's an community development open source project and no one is getting paid, so any developer can always refer to that fact if they find themselves in need of defending themselves.

Ain't this situation grand?

in reply to:  24 comment:25 by Redsandro, 14 years ago

Replying to Stoob:

I think you might have a bug in the lower part of your ingestive system.

True, most developers want to dive into the new 'cool' stuff and don't care about popular demand that involves looking into code that was written years ago. Apart from that, nothing you said made any sense. You didn't read any of the good comments above but blatantly wrote a chapter about evil barbarians and mention an operating system that is three generations old.

I'm a Linux user with an encrypted home dir who thinks this feature should be on top of the todo list, rather than all those fixes for a possible crash when uploading a picture of a monkey while holding the right alt-key.

Separate facts from frustration and you'll sound clever.
Besides, this 'high priority issue' was closed over 7 months ago.

comment:26 by Josef Sábl, 14 years ago

Hey guys. I just wanted to ask something. Does any one of you have a lock on your front door? Cause you shouldn't.

Concept of front door locks is flawed on so many levels:

  • Thief can steal your key when you are not paying attention.
  • Even if he doesn't, every conventional lock can be picked.
  • Even if he doesn't succeed at lock picking, he can always break in through window.
  • It's police's job to protect your home anyway.
  • How can you live in a place, where try to steal your things. You should move to country and city, where crime is non-existant! Now!

These are examples of reasons why houses should not have front door locks.

comment:27 by Redsandro, 14 years ago

I'm also getting really annoyed by that Gnome-Keyring in Ubuntu. What do I need that extra security for? I got an encrypted home dir. It's not like I ever backup my home dir over a network. Wifi is definitely not used by anyone except me and WEP/WPA(2) will never be cracked; there's no such thing as hole196. I always lock my computer when I make some coffee and I never have people around my house when my home dir is unlocked.

I guess those folks over at the Gnome development team really don't know what they're doing. I wish they were more creative and thoughtful like the FileZilla dev team over here.

comment:28 by Tim Kosse, 14 years ago

Guys, stop the flamewar. Instead, just enable Kiosk mode, then FileZilla does not save any passwords at all. If you are not happy with that, fine with me, but don't be crybabies about nothing.

comment:29 by Redsandro, 14 years ago

Resolution: rejected
Status: closedreopened

Seems to me this feature request needs to be reopened.

Encrypting home directory does not solve the problem.
Enabling kiosk mode does not solve the problem.
Existence of spyware does not void security issues.

PS - Don't point and blame when your last words themselves are a flame.

comment:30 by Tim Kosse, 14 years ago

Resolution: rejected
Status: reopenedclosed

End of discussion. This decision is final.

in reply to:  28 comment:31 by Josef Sábl, 14 years ago

Replying to codesquid:

Guys, stop the flamewar. Instead, just enable Kiosk mode, then FileZilla does not save any passwords at all. If you are not happy with that, fine with me, but don't be crybabies about nothing.

We are not crybabies, we are just pointing out facts which render your arguments hardly valid.

I accept it to be fact that Filezilla won't implement this feature. Yeah, crying is the only thing can I do about that :-) But I have lots of other things to cry for. Filezilla not one of them.

Sorry, but "not saving any passwords at all" is not a usable option for me as it would kill my productivity.

comment:32 by Redsandro, 14 years ago

Yes, it wouldn't feel like such painful ignorance, like a father smacking his crybaby kid in the face while shouting "Because I say so!", if there would just be a valid reason for closing this request.

If every dev is like "I have no personal gain from this and I don't wish to work on this", that's fine, but the issue should remain open until someone comes along that does provide an acceptable solution.

Am I wrong?

comment:33 by Bram, 13 years ago

Cc: gnoise@… added
Resolution: rejected
Status: closedreopened
Type: Feature requestBug report

I also still want to opt for this feature. Or at least scramble the passwords. It's not only against hackers and viruses, but also against accidental peeking "over the shoulders" if you -for some reason- open the config file.

I think the reasons to reject the feature given here are shortsighted and ignorant. The world isn't only about high-tech hackers, but also about normal people that can read words. If a password is hidden in a hash, they understand they shoudn't read it. If it's readable they think: "Oops! I shoudn't have read 'Secret001', I guess".

We are human. We read words. Don't make it that hard NOT to read a password :)

comment:35 by Redsandro, 13 years ago

Keywords: master password added
Priority: highcritical

greggggg just triggered this report in my inbox.

On a related note, although they are STILL working on it, Fedora (and CentOS) don't even have home encryption working properly yet. Only Ubuntu offers entire home encryption during install. On Windows 7, you need a pro or higher license for NTFS EFS encryption or an Enterprise or higher version for Bitlocker drive encryption.

Not everyone wants to
1) Use buggy Ubuntu, or
2) Use LUKS entire drive encryption slowdown solution for Fedora/CentOS, or
3) Use an entire third-party drive encryption slowdown solution like TrueCrypt, or
4) Upgrade their Windows license to Professional for manual or Enterprise for automatic encryption, or
5) Switch to a much lamer open source FTP client like FireFTP just to use Master Password security, or
6) Switch to a commercial FTP client that supports Master Password security.

We want to run FileZilla on our home computer with CentOS, or our low-performance netbook with Windows 7 Starter or Fedora without LUKS. We want a simple Master Password solution like Opera, Keepass, or Firefox. We should not have to change heaven and earth to imitate an easy solution, right?

There are so many good reasons to implement this, yet not a single good reason for not implementing this has been provided the past 3 years.

Please reconsider. This will be one of two steps necessary to make FileZilla the number 1 FTP client.

comment:36 by Redsandro, 13 years ago

Keywords: security, master, password → security master password

in reply to:  22 comment:37 by Jinx Dojo, 13 years ago

Replying to josef.sabl:

I personally can't use Pidgin for same reason I can't use FileZilla.

Same here. I requested a master password feature for both Pidgin and FileZilla years ago as well. The lack thereof is one of the major factors I haven't been able to fully switch over to using open source software. While Codesquid doesn't provide much of a reason, at least he doesn't laugh at you and ask "why doesn't your operating system take care of that for you?" like the Pidgin developers did. And, at least he has the excuse of being the only active developer for Filezilla.

Nevertheless, the argument that the master password would be compromised as easily as the plaintext passwords is weak. On my machine, if any malware somehow gets in, it usually gets to run once, at which point it makes itself pretty well known (via any number of monitors), and I get rid of it before running anything else. True, there is a chance I could not realize it, but thus far in life, I've never known a piece of malware to hang around quietly long enough for me not to notice it. Thus, malware has a much higher chance of running "quickly and quietly" (scanning a few known locations for passwords during inactive computer times) than running actively (and monitoring your master password as you enter it).

I realize my counter argument is not exactly hard-science-based, but I think a lot of people would agree with me that it is easier for malware to scan known locations than to constantly monitor a computer.


A year ago, I got a decent idea for how to solve some of these issues. I've yet to try it, and it has some obvious shortcomings, but I plan to use it until a better option is available.

I run TrueCrypt already to backup sensitive files. I plan to create a small TrueCrypt container, and mount it as a drive. Then, I will store all the configuration/password files there, and direct all application shortcuts to open as if that were the application's data directory (this is possible via command line in Pidgin and Filezilla).

Of course, this doesn't address those programs being opened by anything other than my dedicated shortcut. Other applications (opening ftp:// links for example) would not know to look at my mounted drive. Additionally, if I wanted to leave an application running while I leave the computer, I would unmount the drive, but this introduces another issue: would the applications continue to store the passwords in a cache (and thus reduce security) or would they be unable to reconnect in the event of a disconnection (thus reducing dependability/convenience).

Obviously it's a trade-off, but at this point I don't even know the answer, or that I have a choice over which I'd prefer. This is probably the main reason I haven't tried it yet. If anyone else tries it, please do let me know how it goes.

Sorry for the long post; this is an important issue.

comment:38 by Jinx Dojo, 13 years ago

Cc: JinxDojo@… added

comment:39 by Redsandro, 12 years ago

Any interesting new developments?

A lot of hobbyists have their own webspace. They are not professionals. They do not all have a 'sysadmin', they are not all highly technical users with the knowhow to use Linux or Truecrypt. Most of them bought a computer with Windows Home, which doesn't support EFS. They are not interesting targets for the professional hacker. They are, however, interesting targets for siblings, schoolmates, colleagues, and others with physical contact to the computer, able to do the quick-peek method while you are under the desk reaching for a dropped dorito. Even when you do have CIA-grade encryption, the drive is mounted and unlocked by then anyway.

I am concerned with the reasoning behind this security standpoint. Relying on highly experienced users for CIA-grade encryption against professional criminals only is hurting the vast majority end users. Those criminals are not interested in the gallery of my pet cat. People able to do the quick-peek method, they are. They will be stopped by a master password.

This kind of security tactics have a strange sense of rewarding that 1% of highly technical users while punishing those that just want to use their computer in a mainstream fashion.

As an alternative to a master password, how about adding support for keyring, like this plugin for Pidgin does?
https://code.google.com/p/pidgin-gnome-keyring/
It's just Linux, but it's a start.

comment:40 by E. Gaudrain, 12 years ago

The fact that the Mozilla people are using this method is sufficient to convince me that it is the way to go. That might not be the perfect solution, but it is definitely better than no solution at all.

FileZilla is open source, so anyone could implement it. Actually, I found it kind of weird that nobody had done just that: a fork with Master password... until I downloaded the code myself. Admittedly I haven't done C/C++ for ages, but even so, the code looks just like a mess! My impression is that it would be really really annoying to implement the feature. No wonder the FileZilla developers don't want to do it and come up with questionable arguments against it...

I'll keep trying, but really guys, you should clean up your mess.

comment:41 by DeathByNukes, 12 years ago

You really know nothing about security do you?

If one uses software like sandboxie to prevent untrusted software from hooking the keyboard, malware can still read plaintext files. If one is infected with a virus there is a possibility that they will catch the infection before they enter your master password; the size of this possibility directly translates into higher security. How about trojans that are designed to simply steal data from the system and immediately terminate to avoid suspicion? How about people that aren't skilled enough to encrypt the file system, can't because of data integrity concerns, or simply aren't allowed to?

With a master password, the data is vulnerable from the time the password is entered to the time the program is closed. With plaintext, the data is vulnerable at all times the file system is available.

You have no excuse.

comment:42 by Marc, 12 years ago

"Suppose there were a master password. You catch some malware and the next time you start FileZilla and enter your password, the malware knows it and does its thing with your stored site data. It just makes no difference at all, an attacker does not care if he gets your site data now or just the next time you decrypt your data. He'll eventually get your data, that's all he cares about."

1.) Suppose the malware is a zero day hack or the installed virus definition is a few days old or the live scanner doesn't filter the malware, but the next physical search task will find it.... As long you don't login to filezilla no one can steal the passwords. And after the trojan has been found everything is fine again. Think about how often a normal user logs into filezilla and how often the virus definitions are updated.

2.) Suppose someone has physically access to your pc:
a) because you went to lunch and forget to shutdown
b) someone has stolen it
c) a "friend" asked if he is allowed to check his mails
d) you've sold your pc or hard disk without sanitizating your data

3.) Suppose you released some folders / files including the Filezilla xml's? Maybe its part of an old backup archive or copied because of other reasons.

4.) Suppose the malware is a worse trojan that doesn't include a keylogger but a file copier.

5.) Do a little bit research of the last attacks against wordpress and other softwares. They all result by stolen ftp accounts. If only one of this webmasters could had been guarded several thousand malwares were not distributed through their websites.

6.) Everone is able to google the filename including the passwords but only a few people are able to understand source codes to decode hashes.

My proposal:
Realize a master password version of filezilla an sell it through paypal for 5 Dollar. After that you will see there is demand. I would pay for that feature anyway.

in reply to:  42 comment:43 by Josef Sábl, 12 years ago

Replying to mgutt:

Sorry buddy, but you are wasting your breath here. They won't listen to any argument where master password would help. They will keep pointing out situations where it won't help.

I monitor this thread for few years and it is still the same.

comment:44 by Marc, 12 years ago

I thought that (I know the closed thread in the client support forums), but I don't want to give up. Maybe some arguments were overlooked because of the little flamewar.

comment:45 by Alexander Schuch, 12 years ago

Type: Bug reportFeature request

One more now closed item handling this feature request is #5251.
A patch proposal was filed in #8173.

comment:46 by Alexander Schuch, 12 years ago

Encrypting the configuration files by using OS functionality is proposed in #5530.

comment:47 by Redsandro, 12 years ago

Although either one is better than nothing, I'm in favour of the Master Password method.

First, #5530 requires different code routines for different platforms, and there is no proposal for Linux yet. (which I use)

Second, remembering one personal password to access tens or hundreds of different and often random passwords has proven succesful and convenient for years now. See Opera, Firefox, the success of different password vault solutions. Chromium/Chrome does the same, but transparently using your (IIRC) hashed google account password as master password.

A Linux-only half-solution that I implement is ecrypfs on /home/ (or CIA-style LUKS on everything. This has been the developers proposed solution), but this is vulnerable to pretty much every attack other than theft or criminals finding the physical harddisk in the gutter.

After YEARS of solid arguments, peer pressure and the rediculous counter-reasoning from certain key developers (you can also get HIV through breastmilk so why use a condom?), I think it's clear that the original 6 year old views have become more of a principal nature, more like the blockade in a diode in 'reverse direction' - where more electrons only cause the blockade to increase in strength, and less like a well thought-through stance.

On the other hand, we are being rude, demanding stuff from someone else's creation.

Maybe though, #8173 will be fruitful some day.

comment:48 by Marc, 11 years ago

As there is still no master password I found a solution to create my own solution for this:
http://www.maxrev.de/ftp-programm-mit-master-passwort-t261569.htm#3652028

Summary:
1) Install TrueCrypt and create a password protected container for mounting (100 MB)
2) Mount container and install Filezilla Portable in the new drive
3a) Windows: Create a Batch File to start Truecrypt and to start Filezilla Portable. At last close Truecrypt (Truecrypt waits until Filezilla has been closed). If you want a nice solution use a batch to exe converter and use the original Filezilla Icon and create a "FilezillaStarter.exe" and place it into your start folder.
3b) Linux: ?!
4) Start FilezillaStarter.exe, Truecrypt asks for the password, FilezillaPortable starts. After closing FilezillaPortable the drive is unmounted again.

Screenshot:
http://www.maxrev.de/truecrypt-mount-dismount-autorun-program-bild-306350.htm

As long you don't start Filezilla the passwords are safe. Fine!

comment:49 by jon harper, 11 years ago

+1

comment:53 by Chris Baker, 10 years ago

If anyone is still interested in a master password I would be willing to compile a version that has this ability for $100.00

comment:54 by Redsandro, 10 years ago

No thanks.

1) We think this FOSS project would benefit and should have this feature implemented by sheer understanding and logic of the development team.
2) We want this feature to remain in mainline after every update.
3) If we want to participate in commercializing features, there are much better FTP products out there for us to buy.

If you got any heart for FOSS, used this project for your own benefit, and got the technical know-how, you should just release the patch for everyone to compile and a binary for everyone to download.

I advise no one to pay this cmbaker82 for a binary. If you want a patched FileZilla, you can download it here: http://fzcrypt.com/download.php

comment:55 by Chris Baker, 10 years ago

I didn't realize someone had already made a patched version available.

comment:56 by Redsandro, 10 years ago

@codesquid @botg

Let's re-iterate some arguments for Master Password and optionally a key file:

  • On Windows 7 and 8, you need a Professional or higher license for NTFS Encrypting File System, or Enterprise for Bitlocker drive encryption in order to make your system secure enough for plaintext passwords, effectively making the other Windows editions insecure for using with FileZilla.
  • On any EFS encrypted Windows version, files will get decrypted when transferred over LAN.
  • A portable version on a USB stick would benefit from a Master Password.

These are some legit use cases, am I wrong?

comment:57 by Tukang, 9 years ago

Operating system type: Windows
Operating system version: Windows Vista Ultimate
Priority: criticalhigh

comment:58 by Quint, 9 years ago

This dead horse has been beaten pretty badly, but I want to add my voice to the list of people asking for encryption of passwords in the config. FZ has just been banned from my workplace because of the plain text password problem.

Tim is right, encryption isn't a perfect solution and he has his objections to the feature. I think that is irrelevant. Users are asking for a feature and his personal philosophy is getting in they way of helping his users. It isn't a battle or a competition, we just need the feature to continue using the software.

Can we start a bounty for the feature? Since it is OS software can we get another developer involved to add the feature using a bounty? Would Tim accept such a code contribution?

Filezilla is a great piece of software and I really appreciate the work Tim and others have put into it. If the only thing standing in the way of wider use is this one little feature, why can't it be added?

comment:59 by Marc, 9 years ago

In Google Chrome you need to authorize the output of plain text passwords with your windows login. A good solution against people spying your pc as long you are on the toilet.

comment:61 by Redsandro, 9 years ago

comment:62 by lelegard, 9 years ago

See ticket #5530 https://trac.filezilla-project.org/ticket/5530#comment:35 for a patch implementing an interim solution on Windows systems.

comment:63 by fishtail, 7 years ago

This has FINALLY been implemented in 3.26 beta client and it looks promising.

https://www.ghacks.net/2017/05/26/filezilla-integrates-master-password-support/

Last edited 7 years ago by fishtail (previous) (diff)

comment:64 by Redsandro, 7 years ago

Thanks for the heads up @fishtail.

Although after all these years I'd prefer to see integration with seahorse/keyring/keymanager, this is a really good step for many reasons.

comment:65 by lelegard, 7 years ago

Thank you.

However, this was a basic security feature and it comes 10 years late. I am the author of the above mentioned patch for Windows, 2 years ago. But I have given up using FileZilla a long time ago. In a world of cyber-threat and malware all over the place, FileZilla had become completely outdated in terms of security and most managed organisations have banned its usage in the recent years.

Too bad. It used to be an amazing product in the old times of ftp command line. But the obstinacy and short-sightness of its authors have killed it. RIP.

Last edited 7 years ago by lelegard (previous) (diff)

comment:66 by Tim Kosse, 7 years ago

Description: modified (diff)
Resolution: fixed
Status: reopenedclosed

Note that a master password does not offer any additional security. It is no more secure than not saving passwords at all, functionality that has already been in FileZilla for many years.

Technically using a master password isn't even as secure. If not saving passwords, keylogging malware can only intercept those passwords that are entered while the malware is running. With master passwords, it immediately gets access to all encrypted passwords as soon a the master password is entered.

in reply to:  66 comment:67 by lelegard, 7 years ago

Replying to codesquid:

Note that a master password does not offer any additional security. It is no more secure than not saving passwords at all, functionality that has already been in FileZilla for many years.

Technically using a master password isn't even as secure. If not saving passwords, keylogging malware can only intercept those passwords that are entered while the malware is running. With master passwords, it immediately gets access to all encrypted passwords as soon a the master password is entered.

As I just wrote, "obstinacy and short-sightness"...

Security is a pragmatic matter. Full security does not exist. Those who believe that this is an excuse for not implementing features which move the cursor higher between zero security and infinite security should not be allowed to develop security products. Simply because they lack the required pragmatism.

Note: See TracTickets for help on using tickets.