SitePoint Sponsor

User Tag List

Results 1 to 13 of 13
  1. #1
    SitePoint Addict
    Join Date
    Jun 2006
    Posts
    251
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Filezilla FTP Client - how to make it more secure?

    Hi Guys,

    Can anyone please tell me how to protect against storing passwords in an XML file using filezilla?

    Or are there better alternatives out there?

    Thanks in advance

  2. #2
    Gre aus'm Pott gold trophysilver trophybronze trophy
    Pullo's Avatar
    Join Date
    Jun 2007
    Location
    Germany
    Posts
    5,938
    Mentioned
    214 Post(s)
    Tagged
    12 Thread(s)
    Hi,

    Filezilla stores your passwords in plain text by design. The developers consider it the task of your operating system to protect your private data.
    AFAIK you cannot change this. This leaves you with two options:
    1. Don't save your passwords in Fillezilla, rather use a password safe (e.g. Keepass) instead. The obvious disadvantage of this approach is that you have to enter your password manually every time you need to connect to your site.
    2. Use a FTP client which stores passwords in an encrypted form, e.g. Core FTP or Fire FTP
    HTH

  3. #3
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,629
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    I wouldn't get horribly hung up on it -- even if filezilla is storing the passwords in the most secure manner possible, you are still sending it in the clear with each FTP request. There is no transport layer security.

  4. #4
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,175
    Mentioned
    454 Post(s)
    Tagged
    8 Thread(s)
    What about SFTP?

  5. #5
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ralph.m View Post
    What about SFTP?
    SFTP is not the same as FTP. Plus requires one to have SSH access with an SFTP server as well.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  6. #6
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,629
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Filezilla stores the files within your user profile. If there is an untrusted entity with unfettered access to your user settings then you've got a significant security issue that well surpasses someone stealing a few FTP passwords.

  7. #7
    Gre aus'm Pott gold trophysilver trophybronze trophy
    Pullo's Avatar
    Join Date
    Jun 2007
    Location
    Germany
    Posts
    5,938
    Mentioned
    214 Post(s)
    Tagged
    12 Thread(s)
    Quote Originally Posted by ralph.m View Post
    What about SFTP?
    +1 for SFTP.
    I would personally care more about not transmitting everything in plain text, as opposed to how FZ stores my passwords

  8. #8
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,175
    Mentioned
    454 Post(s)
    Tagged
    8 Thread(s)
    Quote Originally Posted by logic_earth View Post
    SFTP is not the same as FTP. Plus requires one to have SSH access with an SFTP server as well.
    Yes, it's not always available, but certainly worth using if it is. My current server allows it.

  9. #9
    SitePoint Guru bronze trophy
    Join Date
    Dec 2003
    Location
    Poland
    Posts
    930
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by mattastic View Post
    Can anyone please tell me how to protect against storing passwords in an XML file using filezilla?
    What I do is I use the Filezilla Portable version in an encrypted TrueCrypt volume. I mount the volume whenever I need to run Filezilla and dismount soon after use. It's not ideal but it increases security a little bit. Filezilla lacks the feature of global password that would enable to encrypt all stored passwords securely.

  10. #10
    SitePoint Enthusiast
    Join Date
    Mar 2010
    Posts
    47
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    @Pullo : according to this article http://blog.unmaskparasites.com/2009...dentials-from/ , Core FTP is targeted by malware just as Filezilla is which suggests it must be easy to extract passwords from it !

  11. #11
    Gre aus'm Pott gold trophysilver trophybronze trophy
    Pullo's Avatar
    Join Date
    Jun 2007
    Location
    Germany
    Posts
    5,938
    Mentioned
    214 Post(s)
    Tagged
    12 Thread(s)
    Quote Originally Posted by baia View Post
    according to this article http://blog.unmaskparasites.com/2009...dentials-from/ , Core FTP is targeted by malware just as Filezilla is which suggests it must be easy to extract passwords from it !
    Perhaps. The article doesn't go into much detail, so it is hard to comment.
    I do agree with what the author says, however:

    Quote Originally Posted by blog author
    So what if you are using one of these FTP client?

    Keep using it. Just don’t save your passwords there. Enter passwords every time you connect to remote servers. Or invest some time to read your program’s documentation and find out what they can offer to security-minded webmasters. Some clients support public key authorization, some offer encrypted site managers, etc.
    Public key authorization or entering the password manually would both increase security dramatically.

  12. #12
    SitePoint Enthusiast
    Join Date
    Mar 2010
    Posts
    47
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    @Pullo : yes I started using SFTP or SSH/FTP (with FireFTP which is really simple and cool) with all my websites now. It's kinda weird to see that this is somewhat exceptional, FTP being the norm. I also followed your advice about keeping credentials in Keepass which I didn't know. This solved my security problem hopefully (I suffered a terrible FTP credentials hacking) and another problem as well : how to keep client information in an organized way. So thanks a lot!

  13. #13
    Gre aus'm Pott gold trophysilver trophybronze trophy
    Pullo's Avatar
    Join Date
    Jun 2007
    Location
    Germany
    Posts
    5,938
    Mentioned
    214 Post(s)
    Tagged
    12 Thread(s)
    Yeah, Keepass rocks! I don't know how I lived without it.
    Glad you got things sorted out


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •