Master key/password primitive bypass

Advertisement

mstr
Joined:
Posts:
1

Master key/password primitive bypass

Using the same WinSCP Portable 5.19.2 (build 11614) on Windows 11 & Windows 10 64-bit. Explorer interface. Using normal passwords on some connections, and RSA keys on others.

Hello!

I love WinSCP, but I also love being somewhat secure.
I have set a 'Master key' within WinSCP in hopes to secure the FTP passwords I have stored in WinSCP. I thought this worked for about 2 years now, however, I have just discovered that the window which prompts me to enter the Master key can simply be closed by clicking 'Cancel' and WinSCP will start connecting to whichever server I clicked to connect to.
This also works when editing the saved FTP connection, I can simply click 'Cancel' on the master key prompt and it lets me edit the connection without authenticating.

So my question is, is this a bug or is that how the feature was intended? Because if this is not a bug, I am unsure how setting a master key would be useful in any way, shape, or form.

No log as this happens across any server; steps:
    1) Make sure you have an S/FTP connection saved along with its password in sessions.
    2) Set a Master key under Settings->Security
    3) Close WinSCP
    4) Open WinSCP
    5) Click on the saved S/FTP connection
    6) Click 'Login'
    7) When 'Master password' prompt opens, click 'Cancel'
    8) Done; WinSCP starts connecting

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
36,205
Location:
Prague, Czechia

Re: Master key/password primitive bypass

The passwords are protected by master passwords, then are actually encrypted using a key derived from the master password. Without master password, they cannot be decrypted, even if there were whatever bug in WinSCP. If you can login without the master password, it means that somehow the passwords were actually not encrypted.

Can you reproduce the problem with clean WinSCP settings? Start WinSCP like this:
winscp.exe /ini=c:\some\path\winscp.ini

Reply with quote

Advertisement

You can post new topics in this forum