Encrypted password repository with a master password

Hello Martin,
here's an idea for future development.

I like Mozilla's approach to saving passwords - if I set a master password to the password storage, saved passwords are encrypted and cannot be decrypted without the master password.

What bugs me though, is that I have to enter the master password each time my Firefox starts.

My list of saved connections in WinSCP (FAR plugin) is pretty long and contains all sorts of sites where I don't want to store my public ssh key, or where I'm forced to use plain FTP connections (yuck).

I don't feel good about saving passwords when they can be decrypted but hell, I'm lazy and I'm not going to copy/paste the passwords from my Secret! Desktop (http://linkesoft.com/secret/desktop.html).

It would be great if you could implement a password storage much like Mozilla has. But that wouldn't be enough for me :-)

Since you already work with PuTTY Pageant very well, you could use it's ssh key as the master password. I would then only need to enter the passphrase into Pageant and it would unlock my saved passwords in WinSCP. Nifty, huh?

Now I know this is a lot of work so I'm willing to put some money into this. Could you please contact me at petr.pavel zavinac/at pepa.info if you're interested? I'm not a company so please don't expect much.

Thanks
Petr

P.S.: And of course, thanks very much for all your hard work. It is appreciated every day.

This request has been added to tracker.

But I do not give it high priority atm... :-)

Here's an idea that might be easier to implement --- I notice that WinSCP allows storage of its configuration in an ini file as opposed to the registry -
If you were to make the location of the ini configurable, it could easily be stored on an encrypted filesystem, such as TrueCrypt. (truecrypt.org)

Certainly this is not as comprehensive as what's being proposed, but it seems like an easy-to-implement feature that could allow for better security.

Now protecting disk encryption against cold boot attacks, that's another story. :) I'm not sure if the proposed system below would protect against that either ...

aaron_w wrote:

If you were to make the location of the ini configurable, it could easily be stored on an encrypted filesystem, such as TrueCrypt. (truecrypt.org)

You can specify a path to an INI file using /ini command line parameter.

Oops. Ok. Cool. Well, thank you for pointing that out to me. :)

Aaron

martin wrote:

You can specify a path to an INI file using /ini command line parameter.

I assume this is only true for the stand-alone WinSCP, not for FAR Manager plug-in. I mean there's no way to tell the plug-in to save into ini, instead of to to registry, right?

aaron_w wrote:

Here's an idea that might be easier to implement --- I notice that WinSCP allows storage of its configuration in an ini file ... it could easily be stored on an encrypted filesystem, such as TrueCrypt.

Sorry for crushing the party but my concern is malware, not theft. I don't want malicious software to have access to my password storage and TrueCrypt wouldn't help me here. If I can access the encrypted filesystem then so can the malware.

Petr

petr.pavel wrote:

Sorry for crushing the party but my concern is malware, not theft. I don't want malicious software to have access to my password storage and TrueCrypt wouldn't help me here. If I can access the encrypted filesystem then so can the malware.

Ah. Good point, of course.

petr.pavel wrote:

I assume this is only true for the stand-alone WinSCP, not for FAR Manager plug-in. I mean there's no way to tell the plug-in to save into ini, instead of to to registry, right?

Correct.

I am using KeePass and with that a included master password to ensure that the passwords i use are safe. I wanted to call WinSCP by using the cmd:// pattern in KeePass urls: The idea: if you double click a "location" it opens WinSCP with the password. Unfortunately I didn't found a way to pass the password with the current Command line options of WinSCP. It would be a great leap if you could add a support for that.

Password can be specified as part of session URL.

But if i use the session url then it won't store the rest of the customized settings of the session: in other words: I can not store things like "favorite paths" or "custom home directory".

OK. So how do you want to work with sessions of WinSCP from KeePass?

It would be nice if there were optional parameter for winscp.exe [session] -p=[password]. this would allow to have keepass(or any other application) to start a session why having all passwords stored at one point. In a way this would solve the initial issue of having one masterkey for winscp.

This request has been added to tracker.