FileZilla stores passwords as plaintext.

[eXor]

I'm sure this is ancient news to some, but I just stumbled upon this information today.

Malware that target FileZilla must be having a field day.

I am not affected as I try and avoid letting programs save my passwords.

In the case of FileZilla, I've always used:

Logon Type: Interactive

and

Protocol: SFTP - SSH File Transfer Protocol

The passwords are stored in \Users\YourUserName\AppData\Roaming\FileZilla\sitemanager.xml

Below is an entry for a ficticious site that I created. The password is omgitstrue :

        <Server>
            <Host>127.0.0.1</Host>
            <Port>2222</Port>
            <Protocol>1</Protocol>
            <Type>0</Type>
            <User>ftp</User>
            <Pass>omgitstrue</Pass>
            <Logontype>1</Logontype>
            <TimezoneOffset>0</TimezoneOffset>
            <PasvMode>MODE_DEFAULT</PasvMode>
            <MaximumMultipleConnections>0</MaximumMultipleConnections>
            <EncodingType>Auto</EncodingType>
            <BypassProxy>0</BypassProxy>
            <Name>SMH</Name>
            <Comments></Comments>
            <LocalDir></LocalDir>
            <RemoteDir></RemoteDir>
            <SyncBrowsing>0</SyncBrowsing>omg
        </Server>

 

[bledd]

Christ!

I use it in 'standalone' mode and mine were written in that folder too

/Deleted

 

[geuben]

If you don't use SFTP and only use FTP then your password will be transmitted in plain text.

Also saved passwords in Firefox and Chrome are stored in plain text.

 

[KIA]

I never let applications save my passwords unless they use a decent form of encryption. WinSCP stores passwords in plaintext, at least it warns the user and forces them to read a prompt before saving.

If malware were to get onto your system, it would probably use a keylogger to grab the master password.

Firefox users can enable master password which will encrypt all sensitive data.

 

[mrk]

FireFTP is the better FTP client anyway and I'd recommend it all day long although it's only usable if you use Firefox/Waterfox/Iron etc.

 

[theheyes]

Cringeworthy.

 

[Deleted member 77746]

Won't be using this again now unless passwords are encrypted.

/thanks

 

[brucey034]

Is there a free encrypted alternative ?

What would you recommend ?

 

[mrk]

FireFTP.

 

[KIA]

If you're going to use FireFTP, enable FF master password or everything will be stored in plaintext.

 

[brucey034]

If you're going to use FireFTP, enable FF master password or everything will be stored in plaintext.

Will do, Thanks for that.

 

[Hellsmk2]

I know it's not good to have passwords stored in plain text, but you can't really be that bothered if you are using something as insecure as FTP in the first place; your credentials are already passed in plain text every time you log on to your chosen FTP server.

 

[brucey034]

I know it's not good to have passwords stored in plain text, but you can't really be that bothered if you are using something as insecure as FTP in the first place; your credentials are already passed in plain text every time you log on to your chosen FTP server.

Is there a free solution ?

 

[Deleted member 77746]

Is there a free solution ?

SSH if the server supports it via SFTP.

 

[KIA]

I know it's not good to have passwords stored in plain text, but you can't really be that bothered if you are using something as insecure as FTP in the first place; your credentials are already passed in plain text every time you log on to your chosen FTP server.

Encrypted FTP does exist.

 

[Sin_Chase]

Encrypted FTP does exist.

Yeah...it's called SFTP

 

[Uhtred]

Thanks, that's actually really handy, now I can backup my list of sites! I use SSH with private certs stored in keypass with keyagent plugin so nothing sensitive in there.