FileZilla stores your passwords in plain text.

flagpoleflagpole Posts: 44,641
Forum Member
Did everyone know this?

Since version 3 FileZilla stores the passwords for your recent sites, and saved sites in plain text, the user is asked if they want to save passwords, they are not warned they are unencrypted.

locations:
vista/7/8 C:\Users\-username-\AppData\Roaming\FileZilla\
xp C:\Documents and Settings\-username-\Application Data\FileZilla
Linux /home/-username-/.filezilla/

the developer (who is a giant bell end) believes that it's your responsibility to secure your OS.

I believe that this weakness is providing miscreants with server passwords which is helping to spread malware.

So recommendations for another client please.

Comments

  • MaxatoriaMaxatoria Posts: 17,980
    Forum Member
    ✭✭
    Technically even encrypting the passwords won't do much should someone really want your details (ok plaintext is wrong), its cheap and cheerful to slap some encryption on the password stored but with todays bruteforce GPU crackers it won't stay hidden for very long if someone can get hold of the encrypted password, More than likely any trojans looking for filezilla are just script kiddy ones that will grab whatever they can from a system in plaintext/crap encryption format(s) and send it back to the kiddy to read/decode in minutes
  • flagpoleflagpole Posts: 44,641
    Forum Member
    Maxatoria wrote: »
    Technically even encrypting the passwords won't do much should someone really want your details (ok plaintext is wrong), its cheap and cheerful to slap some encryption on the password stored but with todays bruteforce GPU crackers it won't stay hidden for very long if someone can get hold of the encrypted password, More than likely any trojans looking for filezilla are just script kiddy ones that will grab whatever they can from a system in plaintext/crap encryption format(s) and send it back to the kiddy to read/decode in minutes

    I realise that the extent to which you can encrypt such things is limited.

    but nonetheless you can explain the weakness to your users without resorting to plain text just to be a ****.
  • njpnjp Posts: 27,583
    Forum Member
    ✭✭✭
    Hmm. I didn't know that. Not immediately obvious when I looked, because all my passwords are software generated and look like encrypted strings anyway. Not impressed.

    I don't think the argument about brute force GPU crackers is very compelling. It's still computationally intensive when plenty of lower hanging fruit is available. And if your passwords are super critical, then simply making them long enough (provided the server will accept them) will always defeat any brute force attack using whatever is the current state-of-the art technology.
  • flagpoleflagpole Posts: 44,641
    Forum Member
    njp wrote: »
    Hmm. I didn't know that. Not immediately obvious when I looked, because all my passwords are software generated and look like encrypted strings anyway. Not impressed.

    I don't think the argument about brute force GPU crackers is very compelling. It's still computationally intensive when plenty of lower hanging fruit is available. And if your passwords are super critical, then simply making them long enough (provided the server will accept them) will always defeat any brute force attack using whatever is the current state-of-the art technology.
    programming for GPU is not straight forward. it seems to me that it is unlikely to be available.

    obviously any algorithm needs to be reversible and the software is open source so it would be known but the issue is not insurmountable. there are plenty of encryption regimes that meet this requirement and are unbreakable subject to password length.

    ask truecrypt.
  • MaxatoriaMaxatoria Posts: 17,980
    Forum Member
    ✭✭
    But given the source to filezilla is open it wouldn't take much effort to cut/paste the decrypt password function into a small program as any keys needed will be readable as well so making the effort of encrypting the password worthless if the operating system is compromised, commercial programs have the advantage that the source code isn't available for simple cut/paste attacks

    What would probably be needed would be a master password for filezilla that can be used to encrypt all the site passwords and that master password is never stored on the machine, with plenty of notice that forgetting your master password will mean you will have to manually type in any site passwords
  • njpnjp Posts: 27,583
    Forum Member
    ✭✭✭
    flagpole wrote: »
    programming for GPU is not straight forward. it seems to me that it is unlikely to be available.

    obviously any algorithm needs to be reversible and the software is open source so it would be known but the issue is not insurmountable. there are plenty of encryption regimes that meet this requirement and are unbreakable subject to password length.

    ask truecrypt.
    You are agreeing with me, I think...

    [I don't think you were suggesting that it would, but it's worth noting that Truecrypt doesn't solve this particular problem, because if you've mounted an encrypted volume, anything accessed on it will be decoded on the fly - whether by you, your legitimate software, or a piece of malware you've inadvertently acquired.]
  • njpnjp Posts: 27,583
    Forum Member
    ✭✭✭
    Maxatoria wrote: »
    But given the source to filezilla is open it wouldn't take much effort to cut/paste the decrypt password function into a small program as any keys needed will be readable as well so making the effort of encrypting the password worthless if the operating system is compromised, commercial programs have the advantage that the source code isn't available for simple cut/paste attacks
    That's nonsense. Publishing the encryption algorithm doesn't compromise security. Quite the reverse, in fact. If the algorithm is good, the security lies in the strength of the key. There should be no "back doors" and no cryptographic weakness. That's why brute force attacks exist.
  • MaxatoriaMaxatoria Posts: 17,980
    Forum Member
    ✭✭
    njp wrote: »
    That's nonsense. Publishing the encryption algorithm doesn't compromise security. Quite the reverse, in fact. If the algorithm is good, the security lies in the strength of the key. There should be no "back doors" and no cryptographic weakness. That's why brute force attacks exist.

    What i meant was just running over each site password with a simple algorithm to just obscure it so it couldn't be read in plain text not any actual cryptographic methods
  • flagpoleflagpole Posts: 44,641
    Forum Member
    njp wrote: »
    You are agreeing with me, I think...

    [I don't think you were suggesting that it would, but it's worth noting that Truecrypt doesn't solve this particular problem, because if you've mounted an encrypted volume, anything accessed on it will be decoded on the fly - whether by you, your legitimate software, or a piece of malware you've inadvertently acquired.]

    I was agreeing with you.

    I'm not saying trucrypt solves the problem, but simply that there is robust password based encryption.
  • flagpoleflagpole Posts: 44,641
    Forum Member
    Maxatoria wrote: »
    What i meant was just running over each site password with a simple algorithm to just obscure it so it couldn't be read in plain text not any actual cryptographic methods

    this is true, though frankly it would still be a lot better than plain text.

    you would want a system like that used in firefox where you have a master password.
  • njpnjp Posts: 27,583
    Forum Member
    ✭✭✭
    Maxatoria wrote: »
    What i meant was just running over each site password with a simple algorithm to just obscure it so it couldn't be read in plain text not any actual cryptographic methods
    Fair enough. I agree a naive security implementation doesn't really achieve anything. But there is plenty of freely available source code for decent algorithms:

    For example: Twofish
  • tellytart1tellytart1 Posts: 3,684
    Forum Member
    ✭✭✭
    This is a red herring.

    Most FTP servers still require the password to be entered in plain text. Some require MD5 hashes.

    However, when storing passwords in FileZilla, because of the need to send passwords for FTP in plain text or generate an MD5 hash from the plain text, if FileZilla was to encrypt the passwords it's stored, it will need to be able to decrypt them again.

    FileZilla is open source, therefore the encrypt/decrypt routines are in the public domain, so couldn't be considered secure. So there is no increased security risk in storing the FTP passwords in plain text.

    (You are using different passwords for every site you have login details for, aren't you? If not, you should be, as you're asking for trouble if your password was ever compromised).
  • John259John259 Posts: 28,327
    Forum Member
    ✭✭✭
    tellytart1 wrote: »
    FileZilla is open source, therefore the encrypt/decrypt routines are in the public domain, so couldn't be considered secure.
    With modern encryption methods the encryption and decryption algorithms and the public encryption key can all be made public without compromising security, provided the private decryption key is kept secret.
    http://en.wikipedia.org/wiki/Public-key_cryptography
  • njpnjp Posts: 27,583
    Forum Member
    ✭✭✭
    tellytart1 wrote: »
    FileZilla is open source, therefore the encrypt/decrypt routines are in the public domain, so couldn't be considered secure. So there is no increased security risk in storing the FTP passwords in plain text.
    That's about as wrong as it is possible to be.
    (You are using different passwords for every site you have login details for, aren't you? If not, you should be, as you're asking for trouble if your password was ever compromised).
    Yes, I am. Needless to say, I don't need to remember them.
  • flagpoleflagpole Posts: 44,641
    Forum Member
    tellytart1 wrote: »
    This is a red herring.

    Most FTP servers still require the password to be entered in plain text. Some require MD5 hashes.

    However, when storing passwords in FileZilla, because of the need to send passwords for FTP in plain text or generate an MD5 hash from the plain text, if FileZilla was to encrypt the passwords it's stored, it will need to be able to decrypt them again.

    FileZilla is open source, therefore the encrypt/decrypt routines are in the public domain, so couldn't be considered secure. So there is no increased security risk in storing the FTP passwords in plain text.

    (You are using different passwords for every site you have login details for, aren't you? If not, you should be, as you're asking for trouble if your password was ever compromised).

    This is very very wrong.

    For a start if your understanding of the process were correct even employing a known and weak cryptographic algorithm would be better than plain text. simply by increasing the skill set required to access them.

    i understand why your mind jumps to hashes when thinking of passwords. but that is not the model we are talking about here. hashes are non reversible. great for authenticated login but useless here.

    the model we are talking about is using a master password and a known, open source encryption algorithm. thus allowing the program to retrieve the plain text password from the encrypted form. not unlike the method used by your browser.

    yes it's vulnerable when the program is running, or when the passwords are transmitted to a more sophisticated attack. but this is not nearly as bad as being vulnerable all of the time to anything that runs for a second and even sandboxed.
  • MaxatoriaMaxatoria Posts: 17,980
    Forum Member
    ✭✭
    Probably the reason he keeps the passwords plaintext is that it reduces the support problems...no "i forgot my master password now i can't login" crap and also no encryption no problems with some countries and their bans/limits on encryption tech
  • flagpoleflagpole Posts: 44,641
    Forum Member
    Maxatoria wrote: »
    Probably the reason he keeps the passwords plaintext is that it reduces the support problems...no "i forgot my master password now i can't login" crap and also no encryption no problems with some countries and their bans/limits on encryption tech

    having read his comments on his forum i think he might just be a dick.

    He keeps saying - "If your system is secure, you can use nuclear missile launch codes as desktop background." - which is all well and good. but as i said if my aunt had balls she'd be my uncle. no system is 100% secure. there are exploits discovered all the time.

    he has a real beef with people that allow their systems to become infected. it's your responsibility to secure your own operating system, he constantly says.

    and even if you have nothing but contempt for people who allow their systems to become infected my real issue is that these are server passwords that are being made available. it makes the spread of malware, phishing and ddos that much easier.
Sign In or Register to comment.