Topic "Security> Master password Bypass"

Author Message
laurent_h

Guest


Hi,

Thank you for your product.

There is a simple security bypass :

- create a master password
- close winscp
- start winscp and choose an account
- on master password prompt let empty just click cancel
- you can connect ?!

Did I miss something ?

Version

WinSCP v5.5.2 (build 4130)
OS: Windows 7 64bit
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 25015
Location: Prague, Czechia
The master password does not prevent WinSCP from running neither from starting a connection. It only protects stored passwords. So if you cancel the master password prompt, the connection continues, you just get prompted for password, as if it was not stored in the site.

If you use password-less authentication, for example private key without passphrase or loaded into Pageant, master password is not involved at all. You should actually not get a prompt as all. Except for a case where you have password stored in site, but it's actually not used because private key authentication has precedence. Then you get a prompt, but cancelling it won't prevent automatic authentication using private key/pageant.
_________________
Martin Prikryl
Advertisements

You can post new topics in this forum






Search Site

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License