Opened 9 years ago

Closed 7 years ago

Last modified 5 years ago

#5251 closed Feature request (duplicate)

Master Password Redux

Reported by: david lund Owned by:
Priority: high Component: FileZilla Client
Keywords: master password, plain text issue, security Cc:
Component version: Operating system type: Windows
Operating system version:

Description

Hello,

Master Passwords similar to Firefox etc should be part of any application that stores information of a personal nature. Not as the end all of security solutions that will prevent login information from being compromised, but rather a part of the process to help secure information safely.

While it is easy to argue there is no security ever good enough if you are compromised (which is the argument I have seen so far) it doesnt really take a big picture look at either the request or the argument against it. Arguing that more casual methods to prevent password snooping does not help if a system is compromised is no different than arguing that a compromised system wont log your keystrokes when you manually enter your password.

The big picture view would be that a master password allows a layer of protection from the casual browser who may use my computer while I am on vacation from work, or at lunch, or many other times I am away from my desk. Sure they could install something to keylog, but they could do that even if there is not a master password.

However, it DOES provides a layer of protection from the opportunistic person who is just poking around for fun and might be enticed by something they see, but never take the next step of full on hacking.

From the amount of resistance against something like this, it must be pretty hard to implement but maybe someone is around now who might have an interest in this feature.

Anyway, I personally would like to have something like this in place, think others might too.

Regards.

Change History (6)

comment:1 Changed 9 years ago by maathieu

Priority: normalhigh

This feature would also provide security in the case your computer gets stolen, which happens, specially in the corporate world, more often than thought.

Several third parties offer "Portable filezilla" versions that you can use straight from a USB key (see for example here). Needless to say USB keys can be easily lost or stolen...

comment:2 Changed 9 years ago by Jacob

Malicious site gumblar.cn used the plain text PW in FileZilla (and other possible clients) to attack thousands of websites in 2009. From a forum entry:

"When you inadvertently load an infected page, it redirects you to the gumblar webpage, and it pushes a pdf file to your computer. It then exploits a known Adobe Reader vulnerability, and gets access to your PC. From there, it looks for common ftp clients, (for me this was FileZilla) grabs any stored passwords, and sends them home. While it’s there, it seems to disable regedit, cmd, and can disable virus scanners. The passwords that were sent home are then used to infect your websites, and the cycle continues the next time another webmaster browses across your site."

comment:3 Changed 9 years ago by Tim Kosse

And? Clearly a problem with Adobe Reader, not FileZilla.

comment:4 Changed 9 years ago by david lund

Appreciate the comment but the situation also clearly lacks awareness that bugs happen, security issues happen, nosy snoopers happen... never saw a piece of software that didnt have some form of issue along the way, sometime.

Good fences make good neighbors or so the saying goes. Taking basic steps to secure data, even the most basic as munging up the plain text passwords, can help prevent rampant needless data loss if a neighboring program has issues.

comment:5 Changed 8 years ago by Chris Dornan

The answers to this perenial request tend to be reduced to 'perfect security is not possible' -- truly a case of the perfect being the enemy of the better. Perfect security is not possible of course.

As things stand FileZilla is acting as the first part of a trojan horse, luring users to store their passwords in clear text for some malware to all-too-easily scoop them up at their leisure. A goldmine that never stops giving for the botnets.

Forget the strawmen about open source and weak master passwords -- the issues are the same for any open-source password manager.

Allowing the situation to continue appears irresponsible. The passwords should not be stored (i.e., locked in in kiosk mode) until a reasonable mechanism for securing them based on a master password has been provided--like FireFox does.

comment:6 Changed 7 years ago by Alexander Schuch

Resolution: duplicate
Status: newclosed

This is a duplicate of #2935.

Note: See TracTickets for help on using tickets.