Digital Spy

Search Digital Spy
 

DS Forums

 
 

FileZilla stores your passwords in plain text.


Reply
Thread Tools Search this Thread
Old 31-07-2013, 08:28
flagpole
Inactive Member
 
Join Date: Jan 2003
Posts: 43,524

Did everyone know this?

Since version 3 FileZilla stores the passwords for your recent sites, and saved sites in plain text, the user is asked if they want to save passwords, they are not warned they are unencrypted.

locations:
vista/7/8 C:\Users\-username-\AppData\Roaming\FileZilla\
xp C:\Documents and Settings\-username-\Application Data\FileZilla
Linux /home/-username-/.filezilla/

the developer (who is a giant bell end) believes that it's your responsibility to secure your OS.

I believe that this weakness is providing miscreants with server passwords which is helping to spread malware.

So recommendations for another client please.
flagpole is offline   Reply With Quote
Please sign in or register to remove this advertisement.
Old 31-07-2013, 09:06
Maxatoria
Forum Member
 
Join Date: Apr 2011
Posts: 5,190
Technically even encrypting the passwords won't do much should someone really want your details (ok plaintext is wrong), its cheap and cheerful to slap some encryption on the password stored but with todays bruteforce GPU crackers it won't stay hidden for very long if someone can get hold of the encrypted password, More than likely any trojans looking for filezilla are just script kiddy ones that will grab whatever they can from a system in plaintext/crap encryption format(s) and send it back to the kiddy to read/decode in minutes
Maxatoria is offline   Reply With Quote
Old 31-07-2013, 09:12
flagpole
Inactive Member
 
Join Date: Jan 2003
Posts: 43,524
Technically even encrypting the passwords won't do much should someone really want your details (ok plaintext is wrong), its cheap and cheerful to slap some encryption on the password stored but with todays bruteforce GPU crackers it won't stay hidden for very long if someone can get hold of the encrypted password, More than likely any trojans looking for filezilla are just script kiddy ones that will grab whatever they can from a system in plaintext/crap encryption format(s) and send it back to the kiddy to read/decode in minutes
I realise that the extent to which you can encrypt such things is limited.

but nonetheless you can explain the weakness to your users without resorting to plain text just to be a ****.
flagpole is offline   Reply With Quote
Old 31-07-2013, 09:44
njp
Forum Member
 
Join Date: Dec 2004
Posts: 16,855
Hmm. I didn't know that. Not immediately obvious when I looked, because all my passwords are software generated and look like encrypted strings anyway. Not impressed.

I don't think the argument about brute force GPU crackers is very compelling. It's still computationally intensive when plenty of lower hanging fruit is available. And if your passwords are super critical, then simply making them long enough (provided the server will accept them) will always defeat any brute force attack using whatever is the current state-of-the art technology.
njp is offline   Reply With Quote
Old 31-07-2013, 10:16
flagpole
Inactive Member
 
Join Date: Jan 2003
Posts: 43,524
Hmm. I didn't know that. Not immediately obvious when I looked, because all my passwords are software generated and look like encrypted strings anyway. Not impressed.

I don't think the argument about brute force GPU crackers is very compelling. It's still computationally intensive when plenty of lower hanging fruit is available. And if your passwords are super critical, then simply making them long enough (provided the server will accept them) will always defeat any brute force attack using whatever is the current state-of-the art technology.
programming for GPU is not straight forward. it seems to me that it is unlikely to be available.

obviously any algorithm needs to be reversible and the software is open source so it would be known but the issue is not insurmountable. there are plenty of encryption regimes that meet this requirement and are unbreakable subject to password length.

ask truecrypt.
flagpole is offline   Reply With Quote
Old 31-07-2013, 10:38
Maxatoria
Forum Member
 
Join Date: Apr 2011
Posts: 5,190
But given the source to filezilla is open it wouldn't take much effort to cut/paste the decrypt password function into a small program as any keys needed will be readable as well so making the effort of encrypting the password worthless if the operating system is compromised, commercial programs have the advantage that the source code isn't available for simple cut/paste attacks

What would probably be needed would be a master password for filezilla that can be used to encrypt all the site passwords and that master password is never stored on the machine, with plenty of notice that forgetting your master password will mean you will have to manually type in any site passwords
Maxatoria is offline   Reply With Quote
Old 31-07-2013, 10:45
njp
Forum Member
 
Join Date: Dec 2004
Posts: 16,855
programming for GPU is not straight forward. it seems to me that it is unlikely to be available.

obviously any algorithm needs to be reversible and the software is open source so it would be known but the issue is not insurmountable. there are plenty of encryption regimes that meet this requirement and are unbreakable subject to password length.

ask truecrypt.
You are agreeing with me, I think...

[I don't think you were suggesting that it would, but it's worth noting that Truecrypt doesn't solve this particular problem, because if you've mounted an encrypted volume, anything accessed on it will be decoded on the fly - whether by you, your legitimate software, or a piece of malware you've inadvertently acquired.]
njp is offline   Reply With Quote
Old 31-07-2013, 10:49
njp
Forum Member
 
Join Date: Dec 2004
Posts: 16,855
But given the source to filezilla is open it wouldn't take much effort to cut/paste the decrypt password function into a small program as any keys needed will be readable as well so making the effort of encrypting the password worthless if the operating system is compromised, commercial programs have the advantage that the source code isn't available for simple cut/paste attacks
That's nonsense. Publishing the encryption algorithm doesn't compromise security. Quite the reverse, in fact. If the algorithm is good, the security lies in the strength of the key. There should be no "back doors" and no cryptographic weakness. That's why brute force attacks exist.
njp is offline   Reply With Quote
Old 31-07-2013, 10:54
Maxatoria
Forum Member
 
Join Date: Apr 2011
Posts: 5,190
That's nonsense. Publishing the encryption algorithm doesn't compromise security. Quite the reverse, in fact. If the algorithm is good, the security lies in the strength of the key. There should be no "back doors" and no cryptographic weakness. That's why brute force attacks exist.
What i meant was just running over each site password with a simple algorithm to just obscure it so it couldn't be read in plain text not any actual cryptographic methods
Maxatoria is offline   Reply With Quote
Old 31-07-2013, 11:03
flagpole
Inactive Member
 
Join Date: Jan 2003
Posts: 43,524
You are agreeing with me, I think...

[I don't think you were suggesting that it would, but it's worth noting that Truecrypt doesn't solve this particular problem, because if you've mounted an encrypted volume, anything accessed on it will be decoded on the fly - whether by you, your legitimate software, or a piece of malware you've inadvertently acquired.]
I was agreeing with you.

I'm not saying trucrypt solves the problem, but simply that there is robust password based encryption.
flagpole is offline   Reply With Quote
Old 31-07-2013, 11:04
flagpole
Inactive Member
 
Join Date: Jan 2003
Posts: 43,524
What i meant was just running over each site password with a simple algorithm to just obscure it so it couldn't be read in plain text not any actual cryptographic methods
this is true, though frankly it would still be a lot better than plain text.

you would want a system like that used in firefox where you have a master password.
flagpole is offline   Reply With Quote
Old 31-07-2013, 11:05
njp
Forum Member
 
Join Date: Dec 2004
Posts: 16,855
What i meant was just running over each site password with a simple algorithm to just obscure it so it couldn't be read in plain text not any actual cryptographic methods
Fair enough. I agree a naive security implementation doesn't really achieve anything. But there is plenty of freely available source code for decent algorithms:

For example: Twofish
njp is offline   Reply With Quote
Old 31-07-2013, 11:11
tellytart1
Forum Member
 
Join Date: Sep 2003
Location: London
Posts: 3,636
This is a red herring.

Most FTP servers still require the password to be entered in plain text. Some require MD5 hashes.

However, when storing passwords in FileZilla, because of the need to send passwords for FTP in plain text or generate an MD5 hash from the plain text, if FileZilla was to encrypt the passwords it's stored, it will need to be able to decrypt them again.

FileZilla is open source, therefore the encrypt/decrypt routines are in the public domain, so couldn't be considered secure. So there is no increased security risk in storing the FTP passwords in plain text.

(You are using different passwords for every site you have login details for, aren't you? If not, you should be, as you're asking for trouble if your password was ever compromised).
tellytart1 is offline   Reply With Quote
Old 31-07-2013, 11:25
John259
Forum Member
 
Join Date: Nov 2003
Location: Norwich, Norfolk, UK
Posts: 13,217
FileZilla is open source, therefore the encrypt/decrypt routines are in the public domain, so couldn't be considered secure.
With modern encryption methods the encryption and decryption algorithms and the public encryption key can all be made public without compromising security, provided the private decryption key is kept secret.
http://en.wikipedia.org/wiki/Public-key_cryptography
John259 is offline   Reply With Quote
Old 31-07-2013, 11:30
njp
Forum Member
 
Join Date: Dec 2004
Posts: 16,855
FileZilla is open source, therefore the encrypt/decrypt routines are in the public domain, so couldn't be considered secure. So there is no increased security risk in storing the FTP passwords in plain text.
That's about as wrong as it is possible to be.

(You are using different passwords for every site you have login details for, aren't you? If not, you should be, as you're asking for trouble if your password was ever compromised).
Yes, I am. Needless to say, I don't need to remember them.
njp is offline   Reply With Quote
Old 31-07-2013, 11:52
flagpole
Inactive Member
 
Join Date: Jan 2003
Posts: 43,524
This is a red herring.

Most FTP servers still require the password to be entered in plain text. Some require MD5 hashes.

However, when storing passwords in FileZilla, because of the need to send passwords for FTP in plain text or generate an MD5 hash from the plain text, if FileZilla was to encrypt the passwords it's stored, it will need to be able to decrypt them again.

FileZilla is open source, therefore the encrypt/decrypt routines are in the public domain, so couldn't be considered secure. So there is no increased security risk in storing the FTP passwords in plain text.

(You are using different passwords for every site you have login details for, aren't you? If not, you should be, as you're asking for trouble if your password was ever compromised).
This is very very wrong.

For a start if your understanding of the process were correct even employing a known and weak cryptographic algorithm would be better than plain text. simply by increasing the skill set required to access them.

i understand why your mind jumps to hashes when thinking of passwords. but that is not the model we are talking about here. hashes are non reversible. great for authenticated login but useless here.

the model we are talking about is using a master password and a known, open source encryption algorithm. thus allowing the program to retrieve the plain text password from the encrypted form. not unlike the method used by your browser.

yes it's vulnerable when the program is running, or when the passwords are transmitted to a more sophisticated attack. but this is not nearly as bad as being vulnerable all of the time to anything that runs for a second and even sandboxed.
flagpole is offline   Reply With Quote
Old 31-07-2013, 12:08
Maxatoria
Forum Member
 
Join Date: Apr 2011
Posts: 5,190
Probably the reason he keeps the passwords plaintext is that it reduces the support problems...no "i forgot my master password now i can't login" crap and also no encryption no problems with some countries and their bans/limits on encryption tech
Maxatoria is offline   Reply With Quote
Old 31-07-2013, 12:22
flagpole
Inactive Member
 
Join Date: Jan 2003
Posts: 43,524
Probably the reason he keeps the passwords plaintext is that it reduces the support problems...no "i forgot my master password now i can't login" crap and also no encryption no problems with some countries and their bans/limits on encryption tech
having read his comments on his forum i think he might just be a dick.

He keeps saying - "If your system is secure, you can use nuclear missile launch codes as desktop background." - which is all well and good. but as i said if my aunt had balls she'd be my uncle. no system is 100% secure. there are exploits discovered all the time.

he has a real beef with people that allow their systems to become infected. it's your responsibility to secure your own operating system, he constantly says.

and even if you have nothing but contempt for people who allow their systems to become infected my real issue is that these are server passwords that are being made available. it makes the spread of malware, phishing and ddos that much easier.
flagpole is offline   Reply With Quote
 
Reply



Thread Tools Search this Thread
Search this Thread:

Advanced Search

 
Forum Jump


All times are GMT +1. The time now is 07:16.