Opened 12 years ago

Last modified 6 years ago

#3176 closed Bug report

Site Passwords not encrypted in sitemanager.xml

Reported by: Geoff Lawrence Owned by:
Priority: normal Component: FileZilla Client
Keywords: Cc: Geoff Lawrence, Tim Kosse
Component version: Operating system type:
Operating system version:

Description

In FileZilla 2 the ftp user's password was encrypted, for example Pass="010006086069122079112100". In FileZilla 3 (3.0.0-beta11) the sitemanager.xml file in C:\Documents and Settings\<username>\Application Data\FileZilla contains the ftp user's password in plain text, for example <Pass>mysecretpassword</Pass>.

I think it is obvious why this is so bad. I could not find this logged as a bug anywhere and so have raised this to make sure it is addressed.

Change History (4)

comment:1 Changed 12 years ago by Tim Kosse

This is by design. It's task of the operating system to protect your data.

comment:2 Changed 12 years ago by Geoff Lawrence

Whilst I agree that this is an operating system task and because the file is under the users profile it is more secure than in FileZilla 3 I disagree that this is sufficient. It is never recommended to store passwords in plain text, even in my personal area. Could we have an option to turn password encryption on in the settings so that all types of user are happy. Please?

comment:3 Changed 12 years ago by Tim Kosse

Passwords will stay plaintext. There's no point in obfuscation. As soon as you got access to sitemanager.xml, it doesn't matter if it's plaintext or obfuscated.

comment:4 Changed 6 years ago by Alexander Schuch

Component: OtherFileZilla Client

There is a feature request covering this at #5530.

Note: See TracTickets for help on using tickets.