Security> Master password Bypass

Hi,

Thank you for your product.

There is a simple security bypass :

- create a master password
- close winscp
- start winscp and choose an account
- on master password prompt let empty just click cancel
- you can connect ?!

Did I miss something ?

Version

WinSCP v5.5.2 (build 4130)
OS: Windows 7 64bit

The master password does not prevent WinSCP from running neither from starting a connection. It only protects stored passwords. So if you cancel the master password prompt, the connection continues, you just get prompted for password, as if it was not stored in the site.

If you use password-less authentication, for example private key without passphrase or loaded into Pageant, master password is not involved at all. You should actually not get a prompt as all. Except for a case where you have password stored in site, but it's actually not used because private key authentication has precedence. Then you get a prompt, but cancelling it won't prevent automatic authentication using private key/pageant.