Topic "Why the password is not encrypted?!"

Author Message
quest

Guest


Hello, why the FTP password is not encrypted while saving it for further sessions???
its really bad i think.
Advertisements
quest

Guest


?..........
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 25015
Location: Prague, Czechia
It is. Where do you see it unencrypted?
_________________
Martin Prikryl
quest

Guest


Když jsem ten program spustil a napsal daje pro přihlšen na normln vzdlen FTP server tak se mě to pak zeptalo jestli chci přihlšen uložit na přště, ale že to nebude nějak zašifrovno nebo tak... ?
dky
quest

Guest


...........?
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 25015
Location: Prague, Czechia
quest wrote:
Kdy jsem ten program spustil a napsal daje pro přihlen na normln vzdlen FTP server tak se mě to pak zeptalo jestli chci přihlen uloit na přtě, ale e to nebude nějak zaifrovno nebo tak... ?
dky

Prectete si to prosim poradne.
_________________
Martin Prikryl
Demon Rob

Guest


So why DO you provide password encryption?
I've just come from the filezilla forums where the developer says that there is absolutely no need for it.

Thats why I'm here!

Seems FZ2 had password obfuscation and not encryption. !?!!
And he now thinks neither is necessary.
Plus filezilla 3 doesn't offer remote file view/edit, or keep connected options that filezilla2 had.

Lets see how good this program is!
Demon Rob

Guest


When the program saves a password it says its not really secure. That's what he means I reckon.
What would be good for the program would be a master password. Enter it once when you open the program and use it to encode all the other passwords.
That would be nice!

ps: I like this program much better than filezilla by the way!
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 25015
Location: Prague, Czechia
Demon Rob wrote:
Seems FZ2 had password obfuscation and not encryption. !?!!

That's what all programs have, including WinSCP. It think it is better than nothing.
_________________
Martin Prikryl
Guest




prikryl wrote:
Demon Rob wrote:
Seems FZ2 had password obfuscation and not encryption. !?!!

That's what all programs have, including WinSCP. It think it is better than nothing.

Not all programs simply obfuscate the password - e.g. Subversion http://subversion.tigris.org/svn_1.2_releasenotes.html#win32-password-encryption

Google turns up https://technet.microsoft.com/en-us/library/bb457116.aspx - essentially a Windows API that will encrypt a file based on the currently logged on users credentials. If the users password is reset, the contents of the file is lost permanently (barring brute force attacks) I've no idea if that's what Subversion uses, but I suspect that it is.

Can I suggest that the WinSCP developers look at using that to provide a better mechanism for protecting passwords.

Greg
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 25015
Location: Prague, Czechia
Quote:
Google turns up https://technet.microsoft.com/en-us/library/bb457116.aspx - essentially a Windows API that will encrypt a file based on the currently logged on users credentials. If the users password is reset, the contents of the file is lost permanently (barring brute force attacks) I've no idea if that's what Subversion uses, but I suspect that it is.

Can I suggest that the WinSCP developers look at using that to provide a better mechanism for protecting passwords.

It is good point. On the other hand, this prevents usage of portable configuration, that many users of WinSCP benefit from.
Demon Rob

Guest


prikryl wrote:
Demon Rob wrote:
Seems FZ2 had password obfuscation and not encryption. !?!!

That's what all programs have, including WinSCP. It think it is better than nothing.

Definitely better than nothing, but clearly not optimal due to the well known problems.

But is there any good reason not to allow the user to enter a single password at program startup, one way hashed, to allow full access to the passwords?
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 25015
Location: Prague, Czechia
Demon Rob wrote:
But is there any good reason not to allow the user to enter a single password at program startup, one way hashed, to allow full access to the passwords?

Well, public key authentication with pageant is superior feature to this. Supposing you use SFTP/SCP...
Guest




prikryl wrote:

Well, public key authentication with pageant is superior feature to this. Supposing you use SFTP/SCP...

'google pageant public key' - yeah, looks good.
so lets implement both, since standard ftp still requires standard password doesn't it?
(its just so easy to say gimme gimme gimme isnt it!)
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 25015
Location: Prague, Czechia
Quote:
so lets implement both, since standard ftp still requires standard password doesn't it?
(its just so easy to say gimme gimme gimme isnt it!)

OK, if more people ask for it... Smile
_________________
Martin Prikryl
Advertisements

You can post new topics in this forum






Search Site

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License