Opened 12 years ago

Closed 10 years ago

Last modified 6 years ago

#1373 closed Feature request (rejected)

[Security] Passwords saved as plain text

Reported by: greg_grossmeier Owned by:
Priority: normal Component: FileZilla Client
Keywords: Cc: greg_grossmeier, Tim Kosse, beni.mail@…
Component version: Operating system type:
Operating system version:

Description

Originally reported on Launchpad.net:
https://launchpad.net/bugs/202114

(sections are individual comments)
============

Passwords saved as plain text in ~/.filezilla/sitemanager.xml for fielzilla 3.0.0-0ubuntu1 on gutsy.

Password should be stored encrypted so that it is more protected to abuse.

============

The .filezilla directory itself is mode 700, so no one can read the plaintext passwords. That said, it would be a good idea for filezilla to use the Gnome Keyring instead of storing plain text passwords.

============

Confirmed on Hardy (filezilla 3.0.7.1-0ubuntu2)

Attachments (1)

Bob Foster1.png (939 bytes) - added by Slavon 5 years ago.
wordpress.org

Download all attachments as: .zip

Change History (9)

comment:1 Changed 12 years ago by Tim Kosse

This is by design, it is the task of the operating system to protect the user's files. Just encrypt your home directory.

comment:2 Changed 10 years ago by patrick brueckner

Status: closedreopened

encrypting the home directory will solve the problem.

if the computer gets hijacked, passwords should still be hard to acquire. optionally supporting gnome keyring, kwallet or osx's keychain would be the easiest solution for Linux/Mac.

comment:3 Changed 10 years ago by patrick brueckner

first line in last post should be "encrypting the home directory will NOT solve the problem."

sorry for self-replying

comment:4 Changed 10 years ago by Alfred Theorin

I agree that it is the OS's task to protect the users' files, but I estimate that this feature will be added to Windows no earlier than the year 2167 and I don't like having all my passwords exposed until then.

How about something similar to Firefox's Master password?

comment:5 Changed 10 years ago by Pieter de Bruijn

Type: Bug reportFeature request

Passwords should never be plain text, but it's not a bug, it's a feature request. Even with an encrypted homedir, you have no protection for programs the running on system, them containing bugs (cascading/escalating security issue).

The Firefox solution is a patch which is not integrated with the desktop.

KWallet is meant to be used exactly for this purpose, so enable it.

+1 for a KWallet integration.

comment:6 Changed 10 years ago by Bob Murphy

i recently got a virus on my machine (despite an up to date avg ) .... why im posting here is to report that immediately after the virus, all but one of the websites that i had in my filezilla site manager got hacked, despite the fact that some of the sites reside on different servers. For me this is proof that the virus targeted the xml file and stole my passwords to hack the sites. I had come to this conclusion before i found this page; in fact i went looking for other people with the same experience. I think this is a living colour example of why the filezilla passwords file needs to be encrypted. Luckily i only had about 20 sites hacked, but i can imagine the some designers might have many times that. I most certainly will not be using filezilla again unless i hear that this is changed, and i will be warning any designers i know to beware of viruses getting your ftp database stores ( despite the fact that i've used the program for many years )

comment:7 Changed 10 years ago by Tim Kosse

Resolution: rejected
Status: reopenedclosed

Once you've got malware on your computer, you've lost already, game over. You need to prevent the infection in the first place.

comment:8 Changed 6 years ago by beni

Cc: beni.mail@… added

I suggest using KeepassX or a similar password management application. Configuration like FTP address and user name can still be managed in Filezilla but passwords copied from KeepassX only when they are needed.

Changed 5 years ago by Slavon

Attachment: Bob Foster1.png added
Note: See TracTickets for help on using tickets.