Opened 17 years ago

Last modified 11 years ago

#3176 closed Bug report

Site Passwords not encrypted in sitemanager.xml

Reported by: Geoff Lawrence Owned by:
Priority: normal Component: FileZilla Client
Keywords: Cc: Geoff Lawrence, Tim Kosse
Component version: Operating system type:
Operating system version:


In FileZilla 2 the ftp user's password was encrypted, for example Pass="010006086069122079112100". In FileZilla 3 (3.0.0-beta11) the sitemanager.xml file in C:\Documents and Settings\<username>\Application Data\FileZilla contains the ftp user's password in plain text, for example <Pass>mysecretpassword</Pass>.

I think it is obvious why this is so bad. I could not find this logged as a bug anywhere and so have raised this to make sure it is addressed.

Change History (4)

comment:1 by Tim Kosse, 17 years ago

This is by design. It's task of the operating system to protect your data.

comment:2 by Geoff Lawrence, 17 years ago

Whilst I agree that this is an operating system task and because the file is under the users profile it is more secure than in FileZilla 3 I disagree that this is sufficient. It is never recommended to store passwords in plain text, even in my personal area. Could we have an option to turn password encryption on in the settings so that all types of user are happy. Please?

comment:3 by Tim Kosse, 17 years ago

Passwords will stay plaintext. There's no point in obfuscation. As soon as you got access to sitemanager.xml, it doesn't matter if it's plaintext or obfuscated.

comment:4 by Alexander Schuch, 11 years ago

Component: OtherFileZilla Client

There is a feature request covering this at #5530.

Note: See TracTickets for help on using tickets.