Filezilla stores your passwords in plain text by design. The developers consider it the task of your operating system to protect your private data.
AFAIK you cannot change this. This leaves you with two options:
Don't save your passwords in Fillezilla, rather use a password safe (e.g. Keepass) instead. The obvious disadvantage of this approach is that you have to enter your password manually every time you need to connect to your site.
Use a FTP client which stores passwords in an encrypted form, e.g. Core FTP or Fire FTP
I wouldn't get horribly hung up on it -- even if filezilla is storing the passwords in the most secure manner possible, you are still sending it in the clear with each FTP request. There is no transport layer security.
Filezilla stores the files within your user profile. If there is an untrusted entity with unfettered access to your user settings then you've got a significant security issue that well surpasses someone stealing a few FTP passwords.
Can anyone please tell me how to protect against storing passwords in an XML file using filezilla?
What I do is I use the Filezilla Portable version in an encrypted TrueCrypt volume. I mount the volume whenever I need to run Filezilla and dismount soon after use. It's not ideal but it increases security a little bit. Filezilla lacks the feature of global password that would enable to encrypt all stored passwords securely.
Perhaps. The article doesn't go into much detail, so it is hard to comment.
I do agree with what the author says, however:
Originally Posted by blog author
So what if you are using one of these FTP client?
Keep using it. Just don’t save your passwords there. Enter passwords every time you connect to remote servers. Or invest some time to read your program’s documentation and find out what they can offer to security-minded webmasters. Some clients support public key authorization, some offer encrypted site managers, etc.
Public key authorization or entering the password manually would both increase security dramatically.
@Pullo : yes I started using SFTP or SSH/FTP (with FireFTP which is really simple and cool) with all my websites now. It's kinda weird to see that this is somewhat exceptional, FTP being the norm. I also followed your advice about keeping credentials in Keepass which I didn't know. This solved my security problem hopefully (I suffered a terrible FTP credentials hacking) and another problem as well : how to keep client information in an organized way. So thanks a lot!