Post a reply :: Support Forum

Message body

Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(max 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Topic review

Author Message
That's good to hear, thank you.
Thanks for your suggestions.

- We have removed password from registration email
- We are planning to use HTTPS for forum authentication
- We are not storing (never were) plain text passwords on our server

during the registration process for this forum I noticed two things potentially affecting the security of the user's credentials:

  1. Neither the traffic for the registration nor for the login pages is encrypted by using TLS/SSL-enabled HTTP (HTTPS). This means that every single password used for registration or login is transferred via the web as clear text, readable for everyone.
  2. The registration confirmation e-mail that is sent out once the registration process is completed contains the chosen password as clear text.

Both points are not a good practice for the infrastructure of a software tool which shall allow a secure, encrypted file transfer with other hosts and both are potential security vulnerabilities, which would be easy to fix. Having said this, I would recommend to encrypt the webserver traffic at least for the login and registration pages by using HTTPS and not to include the clear text passwords of accounts in confirmation e-mails anymore. Passwords should be hashed with a suitable hashing algorithm additionally secured by an unique, random salt immediately after arriving on the server. Directly after hashing, they should be securely erased on the server side.


What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!


About donations

$9   $19   $49   $99

About donations


WinSCP Privacy Policy

WinSCP License