This is an old revision of the document!
A word of warning
As with any security or cryptographic product, there are a number of concerns that should be addressed. In order to use this product securely, you should make an effort to obtain a thorough understanding of its operation and the concepts involved. Improper usage is often insecure usage, so please be sure to read the manual completely.
Advertisement
Host Security
The security of the computer running WinSCP is a serious concern. Trojan Horse and Backdoor programs can potentially be used to steal authentication credentials such as passwords and private keys that have been stored or entered on the computer. Public computers often have session monitoring software which may include key loggers, or may have malicious software installed by a previous user.
WinSCP can support “keyboard-interactive” authentication methods if offered by the server. With keyboard-interactive authentication, the server can prompt for special credentials such as a S/Key one-time password or RSA SecurID generated value. These “disposable” credentials are preferable if you must use a public computer. Contact your system administrator to find out if any form of one-time authentication is offered.
Stored Credentials
WinSCP supports storing passwords with saved sessions. This is provided as a convenience, and is not recommended. If you need to be able to log in without reentering your credentials, the recommended method is to use public key authentication and protect your private key with a pass phrase. The SSH Key Agent provided by PuTTY, Pageant, can store the decrypted key in memory, allowing you to enter your credentials once and continue using them until you close down the agent or log off of Windows entirely.
Saved passwords are stored in a manner that they can easily be recovered. It is not possible to securely encrypt passwords in a way that still allows for automatic use. Do not use the save password feature if you are not absolutely sure of the physical and electronic security of the system on which you are storing passwords.