Opened 16 years ago
Last modified 10 years ago
#3176 closed Bug report
Site Passwords not encrypted in sitemanager.xml
|Reported by:||Geoff Lawrence||Owned by:|
|Keywords:||Cc:||Geoff Lawrence, Tim Kosse|
|Component version:||Operating system type:|
|Operating system version:|
In FileZilla 2 the ftp user's password was encrypted, for example Pass="010006086069122079112100". In FileZilla 3 (3.0.0-beta11) the sitemanager.xml file in C:\Documents and Settings\<username>\Application Data\FileZilla contains the ftp user's password in plain text, for example <Pass>mysecretpassword</Pass>.
I think it is obvious why this is so bad. I could not find this logged as a bug anywhere and so have raised this to make sure it is addressed.
Change History (4)
comment:1 by , 16 years ago
comment:2 by , 16 years ago
Whilst I agree that this is an operating system task and because the file is under the users profile it is more secure than in FileZilla 3 I disagree that this is sufficient. It is never recommended to store passwords in plain text, even in my personal area. Could we have an option to turn password encryption on in the settings so that all types of user are happy. Please?
comment:3 by , 16 years ago
Passwords will stay plaintext. There's no point in obfuscation. As soon as you got access to sitemanager.xml, it doesn't matter if it's plaintext or obfuscated.
comment:4 by , 10 years ago
|Component:||Other → FileZilla Client|
There is a feature request covering this at #5530.
This is by design. It's task of the operating system to protect your data.