Topic "Security> Master password Bypass"

Author Message



Thank you for your product.

There is a simple security bypass :

- create a master password
- close winscp
- start winscp and choose an account
- on master password prompt let empty just click cancel
- you can connect ?!

Did I miss something ?


WinSCP v5.5.2 (build 4130)
OS: Windows 7 64bit
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 27068
Location: Prague, Czechia
The master password does not prevent WinSCP from running neither from starting a connection. It only protects stored passwords. So if you cancel the master password prompt, the connection continues, you just get prompted for password, as if it was not stored in the site.

If you use password-less authentication, for example private key without passphrase or loaded into Pageant, master password is not involved at all. You should actually not get a prompt as all. Except for a case where you have password stored in site, but it's actually not used because private key authentication has precedence. Then you get a prompt, but cancelling it won't prevent automatic authentication using private key/pageant.
Martin Prikryl

You can post new topics in this forum


What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!


About donations

$9   $19   $49   $99

About donations


WinSCP Privacy Policy

WinSCP License