Differences
This shows you the differences between the selected revisions of the page.
| 2016-03-16 | 2016-03-16 | ||
| 5.8.2 Bug 1409 Remembering a password for a duration of a session by default. (martin) | 5.8.2 Bug 1409 Remembering a password for a duration of a session by default - final + reword + +grammar + removing reference to cloning (martin) | ||
| Line 11: | Line 11: | ||
| ===== [[password_memory]] Keeping Password in Memory ===== | ===== [[password_memory]] Keeping Password in Memory ===== | ||
| - | By default, when you [[ui_authenticate#password|enter your password on authentication window]], it is used only for that single authentication. When WinSCP needs to authenticate again, such as when reconnecting, opening additional connection for [[transfer_queue|background transfer]] or opening [[shell_session|separate shell session]], you are prompted for your password again. | + | By default, when you [[ui_authenticate#password|enter your password on the authentication window]], it is stored in the memory and reused for all subsequent authentications during the same session, such as when reconnecting, opening an additional connection for a [[transfer_queue|background transfer]] or opening a [[shell_session|separate shell session]]. This is the default behavior of the //latest beta version//. //In the latest stable version//, the password is not remembered by default. &beta |
| - | You can choose to keep the password in memory, to allow its reuse, on [[ui_authenticate#password|password prompt]]. | + | You can choose not to keep the password in the memory, for an increased protection, using the preference option //[[ui_pref_security|Remember password for duration of session]]//. ((Note that the //[[ui_pref_integration_app|Remember session password and pass it to PuTTY]]// preference option has the same effect, so you have to disable both, to avoid automatic authentication of additional connections.))· |
| - | You can also opt to remember the password for all sessions using preference option //[[ui_pref_security|Remember password for duration of the session·]]//. ((Note that the //[[ui_pref_integration_app|Remember session password and pass it to PuTTY]]// preference option has the same effect, so you have to disable both, to avoid automatic authentication of additional connections.)) | + | |
| - | //In the latest beta version//, the password is remembered by default. &beta | + | When you choose not to remember the password by default, you can still choose to remember it for a specific session on the [[ui_authenticate#password|password prompt]]. The same effect has entering your password already to the //[[ui_login#session_settings|Password]]// box on the Login dialog. |
| - | The same effect (just per-session, not global) has entering your password already to a //[[ui_login#session_settings|Password]]// box on the Login dialog. For [[session_configuration#site|a stored site]] you can achieve that by [[ui_login#new_site|cloning it]]. | + | If you have your [[security_credentials#storing_password|password stored in a site]], it is always automatically used for all authentications during a session. |
| - | If you have your [[security_credentials#storing_password|password stored in site]], it's remembered implicitly. | + | Keeping the password in the memory can be dangerous, in case a malware gains access to the WinSCP process or the memory is swapped out to disk or written into a crash dump file. However, it is still unavoidably very dangerous, if malicious software is in a position to read the memory of your WinSCP processes: there is still a lot of sensitive data in there which cannot be wiped because it's still being used, e.g. session keys. Also [[ui_pageant|Pageant]] retains decrypted private keys in memory for long periods on purpose if you use it. So turning off the option to remember the password somewhat mitigates the risks of malicious access to your WinSCP processes' memory, but it cannot eliminate those risks completely. ((&puttydoccite)) |
| - | + | ||
| - | Keeping password in memory can be dangerous, in case a malware gains access to the WinSCP process or the memory is swapped out to disk or written into a crash dump file. However, it is still unavoidably very dangerous if malicious software is in a position to read the memory of your WinSCP processes: there is still a lot of sensitive data in there which cannot be wiped because it's still being used, e.g. session keys. Also [[ui_pageant|Pageant]] retains decrypted private keys in memory for long periods on purpose if you use it. So turning the option off somewhat mitigates the risks of malicious access to your WinSCP processes' memory, but it cannot eliminate those risks completely. ((&puttydoccite)) | + | |
| ===== [[putty_password]] Passing Password to PuTTY ===== | ===== [[putty_password]] Passing Password to PuTTY ===== | ||