Security> Master password Bypass

Advertisement

laurent_h
Guest

Security> Master password Bypass

Hi,

Thank you for your product.

There is a simple security bypass :

- create a master password
- close winscp
- start winscp and choose an account
- on master password prompt let empty just click cancel
- you can connect ?!

Did I miss something ?

Version

WinSCP v5.5.2 (build 4130)
OS: Windows 7 64bit

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
40,476
Location:
Prague, Czechia

Re: Security> Master password Bypass

The master password does not prevent WinSCP from running neither from starting a connection. It only protects stored passwords. So if you cancel the master password prompt, the connection continues, you just get prompted for password, as if it was not stored in the site.

If you use password-less authentication, for example private key without passphrase or loaded into Pageant, master password is not involved at all. You should actually not get a prompt as all. Except for a case where you have password stored in site, but it's actually not used because private key authentication has precedence. Then you get a prompt, but cancelling it won't prevent automatic authentication using private key/pageant.

Reply with quote

Advertisement

You can post new topics in this forum