Master key/password primitive bypass

Using the same WinSCP Portable 5.19.2 (build 11614) on Windows 11 & Windows 10 64-bit. Explorer interface. Using normal passwords on some connections, and RSA keys on others.

Hello!

I love WinSCP, but I also love being somewhat secure.
I have set a 'Master key' within WinSCP in hopes to secure the FTP passwords I have stored in WinSCP. I thought this worked for about 2 years now, however, I have just discovered that the window which prompts me to enter the Master key can simply be closed by clicking 'Cancel' and WinSCP will start connecting to whichever server I clicked to connect to.
This also works when editing the saved FTP connection, I can simply click 'Cancel' on the master key prompt and it lets me edit the connection without authenticating.

So my question is, is this a bug or is that how the feature was intended? Because if this is not a bug, I am unsure how setting a master key would be useful in any way, shape, or form.

No log as this happens across any server; steps:

1) Make sure you have an S/FTP connection saved along with its password in sessions.
2) Set a Master key under Settings->Security
3) Close WinSCP
4) Open WinSCP
5) Click on the saved S/FTP connection
6) Click 'Login'
7) When 'Master password' prompt opens, click 'Cancel'
8) Done; WinSCP starts connecting

The passwords are protected by master passwords, they are actually encrypted using a key derived from the master password. Without master password, they cannot be decrypted, even if there were whatever bug in WinSCP. If you can login without the master password, it means that somehow the passwords were actually not encrypted.

Can you reproduce the problem with clean WinSCP settings? Start WinSCP like this:

That's very strange.

I downloaded a new installation of WinSCP, fresh installed, forced it to generate a new .ini file but it still somehow loads configuration from god knows where as I can see 2 saved servers (I do not have WinSCP installed anywhere else). This is loading a very old config file as that server is now dead so it might be related to this.
Where in the registry does WinSCP store its data? Just so I can wipe that and try what you suggested.

Managed to clean up the configurations stored when uninstalling. I've reinstalled again, set a master password and it still allows me to click 'Cancel' and proceed to connect without typing g in the master key.

Please attach a full session log file showing the problem (using the latest version of WinSCP).