Differences
This shows you the differences between the selected revisions of the page.
security_credentials 2023-05-04 | security_credentials 2023-10-06 (current) | ||
Line 11: | Line 11: | ||
===== [[password_memory]] Keeping Password in Memory ===== | ===== [[password_memory]] Keeping Password in Memory ===== | ||
- | By default, when you [[ui_authenticate#password|enter your password on the authentication window]], it is stored in the memory and reused for all subsequent authentications during the same session, such as when reconnecting, opening an additional connection for a [[transfer_queue|background transfer]] or opening a [[shell_session|separate shell session]]. | + | By default, when you [[ui_authenticate#password|enter your password on the authentication window]], it is stored in the memory and reused for all subsequent authentications during the same session, such as when reconnecting, opening an additional connection for a [[transfer_queue|background transfer]], opening a [[shell_session|separate shell session]] or [[integration_putty#open_putty|opening a session in PuTTY]]. |
- | You can choose not to keep the password in the memory, for an increased protection, using the preference option //[[ui_pref_security|Remember password for duration of session]]//. ((Note that the //[[ui_pref_integration_app|Remember session password and pass it to PuTTY]]// preference option (or using the ''!P'' pattern in terminal client command) has the same effect, so you have to disable both, to avoid automatic authentication of additional connections.)) | + | You can choose not to keep the password in the memory, for an increased protection, by turning off both //[[ui_pref_security|Remember password for duration of session]]// and //[[ui_pref_integration_app|Remember session password and pass it to PuTTY]]// preference options. |
When you choose not to remember the password by default, you can still choose to remember it for a specific session on the [[ui_authenticate#password|password prompt]]. The same effect has entering your password already to the //[[ui_login#session_settings|Password]]// box on the Login dialog. | When you choose not to remember the password by default, you can still choose to remember it for a specific session on the [[ui_authenticate#password|password prompt]]. The same effect has entering your password already to the //[[ui_login#session_settings|Password]]// box on the Login dialog. | ||
Line 20: | Line 20: | ||
Keeping the password in the memory can be dangerous, in case a malware gains access to the WinSCP process or the memory is swapped out to disk or written into a crash dump file. However, it is still unavoidably very dangerous, if malicious software is in a position to read the memory of your WinSCP processes: there is still a lot of sensitive data in there which cannot be wiped because it's still being used, e.g. session keys. Also [[ui_pageant|Pageant]] retains decrypted private keys in memory for long periods on purpose if you use it. So turning off the option to remember the password somewhat mitigates the risks of malicious access to your WinSCP processes' memory, but it cannot eliminate those risks completely. ((&puttydoccite)) | Keeping the password in the memory can be dangerous, in case a malware gains access to the WinSCP process or the memory is swapped out to disk or written into a crash dump file. However, it is still unavoidably very dangerous, if malicious software is in a position to read the memory of your WinSCP processes: there is still a lot of sensitive data in there which cannot be wiped because it's still being used, e.g. session keys. Also [[ui_pageant|Pageant]] retains decrypted private keys in memory for long periods on purpose if you use it. So turning off the option to remember the password somewhat mitigates the risks of malicious access to your WinSCP processes' memory, but it cannot eliminate those risks completely. ((&puttydoccite)) | ||
- | |||
- | ===== [[putty_password]] Passing Password to PuTTY ===== | ||
- | Enable preference option //[[ui_pref_integration_app|Remember session password and pass it to PuTTY]]// to make WinSCP keep password in memory and pass it to PuTTY, when [[integration_putty#open_putty|opening a session in PuTTY]]. | ||
- | |||
- | Note that the password is passed to PuTTY using command-line parameter ''-pw''. It is rather easy for other processes (possibly malicious) on your computer to retrieve command-line used to start PuTTY, hence to discover your password. So you should avoid using this option, unless you are confident about security of your computer. Preferred alternative approach is to use [[public_key|public key]] authentication together with [[ui_pageant|Pageant]] (PuTTY can use Pageant too). | ||
===== [[storing_password]] Storing Password ===== | ===== [[storing_password]] Storing Password ===== |