mattastic — 2012-09-14T09:45:59-04:00 — #1
Can anyone please tell me how to protect against storing passwords in an XML file using filezilla?
Or are there better alternatives out there?
Thanks in advance
pullo — 2012-09-16T07:08:46-04:00 — #2
Filezilla stores your passwords in plain text by design. The developers consider it the task of your operating system to protect your private data.
AFAIK you cannot change this. This leaves you with two options:
- Don't save your passwords in Fillezilla, rather use a password safe (e.g. Keepass) instead. The obvious disadvantage of this approach is that you have to enter your password manually every time you need to connect to your site.
- Use a FTP client which stores passwords in an encrypted form, e.g. [Core FTP or [URL="http://fireftp.mozdev.org/"]Fire FTP](http://www.coreftp.com/)
wwb_99 — 2012-09-16T09:27:58-04:00 — #3
I wouldn't get horribly hung up on it -- even if filezilla is storing the passwords in the most secure manner possible, you are still sending it in the clear with each FTP request. There is no transport layer security.
ralphm — 2012-09-16T09:32:29-04:00 — #4
logic_earth — 2012-09-16T09:39:01-04:00 — #5
SFTP is not the same as FTP. Plus requires one to have SSH access with an SFTP server as well.
wwb_99 — 2012-09-16T09:51:44-04:00 — #6
Filezilla stores the files within your user profile. If there is an untrusted entity with unfettered access to your user settings then you've got a significant security issue that well surpasses someone stealing a few FTP passwords.
pullo — 2012-09-16T10:23:50-04:00 — #7
+1 for SFTP.
I would personally care more about not transmitting everything in plain text, as opposed to how FZ stores my passwords
ralphm — 2012-09-16T11:09:18-04:00 — #8
Yes, it's not always available, but certainly worth using if it is. My current server allows it.
lemon_juice — 2012-09-21T12:31:14-04:00 — #9
What I do is I use the Filezilla Portable version in an encrypted TrueCrypt volume. I mount the volume whenever I need to run Filezilla and dismount soon after use. It's not ideal but it increases security a little bit. Filezilla lacks the feature of global password that would enable to encrypt all stored passwords securely.
baia — 2013-03-22T06:52:41-04:00 — #10
@Pullo : according to this article http://blog.unmaskparasites.com/2009/09/23/10-ftp-clients-malware-steals-credentials-from/ , Core FTP is targeted by malware just as Filezilla is which suggests it must be easy to extract passwords from it !
pullo — 2013-03-26T06:24:52-04:00 — #11
Perhaps. The article doesn't go into much detail, so it is hard to comment.
I do agree with what the author says, however:
Public key authorization or entering the password manually would both increase security dramatically.
baia — 2013-03-26T07:08:53-04:00 — #12
@Pullo : yes I started using SFTP or SSH/FTP (with FireFTP which is really simple and cool) with all my websites now. It's kinda weird to see that this is somewhat exceptional, FTP being the norm. I also followed your advice about keeping credentials in Keepass which I didn't know. This solved my security problem hopefully (I suffered a terrible FTP credentials hacking) and another problem as well : how to keep client information in an organized way. So thanks a lot!
pullo — 2013-03-26T07:14:44-04:00 — #13
Yeah, Keepass rocks! I don't know how I lived without it.
Glad you got things sorted out