Warning: FileZilla FTP Passwords now Stored in Plaintext

FileZilla Plaintext PasswordsI feel that this should be brought to the attention of FileZilla users out there even though it may be a huge concern. (Lots of apps do this but potentially giving up FTP access info to a bunch of servers you are responsible for is something to be avoided). Jump to the Important Stuff

I love the FTP client FileZilla, and I used to share my filezilla.xml file between machines because it stored all my recent servers and passwords (encrypted). Recently I tried to do the same and came to find out that the most recent versions of FileZilla version ~ (and possibly older) store all saved FTP account connection info in plaintext .xml files. This applys to both Linux and Windows installations (Mac OS X has yet to be tested but I would bet the same applies).

In some cases this is convenient – often I connect over FileZilla then don’t have access to the password but need to use it in a different app/machine, I could just look it up in these plaintext config files.

But in other cases this is a serious problem. From a practical standpoint, let’s say we connect to our FTP server using FileZilla on a semi-public machine like at a buddy’s place where you may not be concerned about keyloggers but don’t necessarily want your stuff available in plaintext after you walk away.

And let’s not forget that someone could write an app that runs in the background, slurping up that info and putting it in the hands of people you may not trust.

Personally, I am not gonna stop using FileZilla at my primary FTP client on my Linux and Windows boxes, it really is a great app – one of the best clients if not the best. But I feel that awareness pertaining to storage of sensitive data should be a major concern to any serious user.
Text to be displayed
The following files are what you need to know about:

filezilla.xml – Stores most recent server info including password in plaintext.
recentservers.xml – Stores all recent server info including password in plaintext.
sitemanager.xml – Stores all saved sites server info including password in plaintext.

These files can usually be found in the following directories:

Windows XP/2K: “C:\Documents and Settings\username\Application Data\FileZilla”
Windows Vista: “C:\Users\username\AppData\Roaming\FileZilla\”
Linux: “/home/username/.filezilla/”

It seems that this has been brought to the developer’s attention but it also seems that this won’t be changing any time soon. There seems to be a bit of a dispute as to how this should be handled, but I say why not use weak cryptography/obfuscation like they used to, at least that way it would take someone some minor effort/know-how to get to these passwords.

If you have further information regarding the subject, please comment.

Related resources:

Security posting: http://seclists.org/fulldisclosure/2008/Apr/0511.html

FileZilla Password Recovery Apps/Scripts: (may only apply to older encryption scheme)



57 Replies to “Warning: FileZilla FTP Passwords now Stored in Plaintext”

  1. I hate to burst your bubble, but FTP passwords are transmitted in plain text anyway, and filezilla is open source. Even if they did use weak encryption, it needs to be reversible by design, and the reversing code would be (and has been) freely available right in the source distribution. Actually, they could simply copy your XML files over their own Filezilla installation and connect using your credentials. If someone wants to get into your account, and they have access to your XML files, you’re screwed either way.

    What *should* be implemented is an option to not store the password, and have the application prompt for it when needed. FlashFXP does this, where if you leave the password box empty, it will pop up when you try to connect. It doesn’t get saved, and even if you reconnect during the same session, it prompts you again.

    That way, you can safely FTP from a public location without exposing your password. A person could still sniff the IP traffic, but that’s a bit more involved than merely copying a text file, and much harder to pull off without getting caught (unless you’re the sysadmin).

    1. I know this is very old stuff, but still.
      Solution should be to be able to give a master password which wont be found on the source code of the app 😉
      So every time you need to connect, only asks for the master password.
      Then if someone wants to steal your pass, can’t do it anymore trough reading files but network man in the middle kinda stuff, which is way more complicated.

  2. My bubble is in great shape – I’m well aware that FTP is plaintext and Filezilla is open source. My point is that it is now too easy to see passwords, simply glancing at a file in a text editor. You’ve got a point that someone could just copy the xml files over their own installation but the difference here is that anyone can read plaintext, it takes someone with some knowledge + effort to go beyond that.

    I’m not worried about the pros and the overeager who would sniff my network nearly as much as the junior script kiddies who would gladly slurp plaintext but shy away from some simple decoding.

    Optional password storage would make a lot of sense, it is a bit presumptuous although convenient to store recent logins.

  3. Personally, I’m glad the passwords are stored in plain text. I deal with a lot of ftp servers, and some accounts we’ve had for so long we (and the other sysadmins) have forgotten what the passwords were. I know, document stuff better, but people don’t. Plaintext passwords saved the day.

    I’ve recently switched from LeapFTP to FileZilla, and I don’t plan on switching to anything else for quite sometime. I had to use a password revealer to get my ftp accounts imported into FZ …

    I actually came here looking for the location of the xml files, because this morning I had to tell a client what account / password we were using to access their ftp server. Thanks for posting the location, as I seemed to be unable to locate them on my own. Windows Search failed me 🙁

    1. Well you will not plan it until you got those kinds of virus taking this file to hack ftp servers. I got all my ftp servers hacked recently. It’s a very bad security policy.

  4. Yes, of course the FTP protocol do is transmission in plain text, but their is a difference between the theory and the real world.

    In the real world, my data collector will be happy to search and extract password from files that store them in plain text ( in every filezilla installation ) of the machines that I may hack.

    And nop, most people doesn’t encrypt their home directory. And a new password otften lead to new – higher – level of access.

    So yes, their is a big difference between putting a Man in the Middle attack that require to be at the good place at the good moment, and simply take a file and having access to the last X month of login history.

    “If you don’t trust your root, don’t use the system” -> what about: never trust anyone ?

  5. I was just over at the FileZila site asking about this and a thorough read reveals that not only does the sole developer refuse to do anything to help, he actively stifles discussion of the matter after blaming everybody and everything else for the problem

    My recommendation is to remove FileZilla from your system if you are responsible over any web site because though you were a target for hackers before, you have just become a PREFERRED target because of the attitude and actions of Tim Kosse, the developer of FileZilla.

    1. Actually, I just came from the FileZilla website, and know what you mean. The admin there seems to be a real idiot (he actually suggests that everyone should spend an hour a day on their PC making sure its secure). Any encryption, even basic, is an improvement over plaintext (they could always leave in a plaintext option). I used to be a big FileZilla fan, but will no longer run it due to the password issue – that and the fact that I dont like supporting dickheads.

  6. That it is transmitted in plain text is a silly excuse if you ask me.

    IF the user wants to store the password then the application should do its best to protect the user and in this case it means to use reasonable encryption which is not rocket science anymore.

    Now anyone can just open the archive and steal your passwords, in fact malware and viruses steal passwords this way.

    Shameless omission! being open source is no excuse for laziness.

  7. Why not do what Firefox does and have a master password and use that to create a hash and key to decode the stored (encrypted) passwords?

    This is a major security risk and should be handled.

  8. I’ve just had 6 sites hacked due to this vulnerablity. I run all sorts of security measures on my PCs, but it was so easy for the malware to pick up the plain text host, user, and password info from the FileZilla xml file that it was sent to the hackers before I could even flick my WiFi switch off! Literally – I was stunned by how quickly it happened. Although the sites were hacked within 24hrs, luckily I spotted it before my sites were blacklisted as their hacks loaded the sites with malware.

    Read the FileZilla forums and see how their “admin” deals with such queries – quite frankly, the tone of his responses to their users would stop me using FileZilla even without this recent event!

    If you don’t want all your ftp account details to land up in the hands of some hacker who will ruin your websites, DON’T USE FILEZILLA – even if your machines are like Fort Knox!

    FileZilla’s “admin” response to users caught out in this way – “don’t use Windows”! Sorry?….I’m sure I was using the WINDOWS version of FileZilla? Really, I urge you to read their forums (search for encrypt and/or hacked) and you’ll soon see that FileZilla’s developers are not people whose software you would want to use.

    I wish I’d read your original post 10 days ago – it would’ve saved me SO much hassle and a stack of work changing accounts and loading site backups. Thanks for bringing it to others’ attention though! Please, please, please, heed these warnings – however “safe” you believe your machines to be!


  9. If you’re using FTP in a public location, this is only one of your worries. If you administer the workstation, use the fzdefault.xml file in the /docs/ folder and change the kiosk mode parameter to 1 or 2 so that it doesn’t save this info.

    Additionally, you can use the fzdefault.xml file to tell FileZilla not to check for updates, which is usually a nuisance on a public machine anyway.

  10. I too came to figure out where the passwords were stored. My passwords are very strong, and I sometimes forget them. Thanks for the tip. 🙂

    (FTP isn’t secure anyway, packet sniffing on wifi networks, many of which are wep, is easy enough. Use SCP if you want security.)

  11. I keep waiting for someone to write a free, Windows-compatible FTP client that doesn’t suck, but I have yet to find one.

    Thanks for the heads up. I’m ditching FileZilla.

  12. First thanks UT for this post! I agree with all you said about Filezilla and the storage of passwords. This has woke me up and I’m evalutaing my whole password strategy.

    So what FTP program do you recommend for Windows?

    I would assume you recommend to start using SFTP?

    1. I still use FileZilla frequently (which supports SFTP). I wrote this post only to inform of the potential security risk, I still think FileZilla is among the best FTP clients out there.


  13. Thanks for the info – I have a notebook that unwittingly became my failover after my desktop blew out badly. So I arrived here just to find out where those passwords are, and how to decrypt them… Needless to say I’m happy now.

    +1 on keeping the pw in plaintext and where they are – if you’re in need of encryption, then go for a specific app like TrueCrypt. And leave the frou-frou and dancing bear additions to Microsoft.

    1. Oh I forgot to add that Windows 7 hasn’t changed the location for the Filezilla files compared to Vista, so the location for Windows 7 is (in case you want to update the post info) here:

      Windows 7: “C:UsersusernameAppDataRoamingFileZilla”

  14. One option, which does not solve the problem but does add an extra layer of security, is to apply windows encryption to the entire folder where the XML files are.

    Yes, windows encryption has already been broken, so if you are truly concerned about security but LOVE Filezilla then you should to create a Truecrypt volume to store the XML files.

    Of course if you are that paranoid you should also switch your SERVERS to SFTP or another secure FTP method.

  15. The Filezilla developer has a seriously nasty attitude. Makes you wonder why he develops for the Windows platform at all as he is so abusive to anyone who uses it.

    If you want your FTP accounts and websites hacked with Malware distribution bots, use Filezilla, by all means. Read the Filezilla forum on passwords stored in plain text XML files. The conversations and, in particular, the developer responses are hard to believe.

  16. I keep a fairly clean system and still had passwords for 2 clients sites stolen and their websites defaced with advertisements.

    Now I keep my passwords in the only truly safe place left – my head. If the developer doesn’t want to do anything about this – fine. It’s his program he can do what he wants with it (and it’s a great program). I think informing people about this is a must however as many assume at least a basic level of encryption on these passwords.

  17. I was subject to some malware which has just taken the plain text passwords from sitemanager.xml. I am dismayed, each of the sites has been hacked but luckily only those listed in filezillas’s sitemanager. I had recently planned to convert all my sites from wsftp to filezilla and only the difficulty of transferring 60 or so sites had prevented me. I am now so thankful that I did not start the job! I am appalled at finding that filezilla stores passwords in plain text.

    I have now removed filezilla from all my machines and ws ftp is now my default ftp client. The attitude of the developers is all wrong. They seem to think that we should not be using windows…a daft and pompous attitude to take. Filezilla on Windows could be the norm if only it worked properly.

    My advice: do NOT install Filezilla. If you have it installed, remove it now, the security of your websites is seriously at risk.

  18. Got hacked on 15Aug2010, 50 sites on two servers.

    Javascript from .ro attacked all types of index files as well as every .js in the servers.

    There is no point in reporting this to the Filezilla forum because of their hostile and arrogant attitude.

    I love Filezilla and have a solution – I installed Filezilla Portable from http://portableapps.com/apps/internet/filezilla_portable and it runs on a usb memory stick. No Filezilla files are copied to my windows machine.

    Now simply plug in the stick when I have changes to make and remove it afterwards!

    1. you funny 🙂 , then when you connect your usb they steal it by script who search about this file in all devices machine and usb . so it doesnt help . you are at risk when you connect your usb

  19. Hey Boddy….

    I am using win2k server. I have searched the files u mention but unable to get the files filezilla.xml. Can u any one please suggest me to get store ftp server pawword to retreave from filezilla firefox.

    Dilip Gupta

  20. Hello,
    I usually access confidential data as a part of my job.
    But once i had accessed an FTP site using FireFTP using mozilla firefox on someone else’s machine with remember password enabled. But later I deleted that account. Is there any possibility of recovering that account by that person, & which are the locations where the password for that account can be stored.
    I am really worried because this can lead to huge loss. Please help, Its very urgent so that i can take some action.

  21. Awww fail security experts are fail.

    Anything else with a save password box is just as big a risk you tools.

    Complaining about getting your ftp password is like complaining about getting the clap from your $5 hooker.

  22. (For all those being really indignant here)

    Serious dudes,
    1. If you did not know this, go do your homework. Also, you, and only you are responsible for securing your box. Don’t blame the devs of Filezilla for your lack of knowledge. Filezilla is one of the best FTP clients. If you are not satisfied with a feature go help them! Grow up, stop screaming like a little child, and do some work! (I guess you won’t put in some effort yourself do you?)

    2. As Emilio indeed correctly said: FTP passwords get send in plain text, so if you do not use SFTP or SCP it does not matter if you encrypt the xml file or not. Do you know the concept of security through obscurity? Well this is a great example of it. I would worry first about using SFTP or SCP (or read the php ftp manual and hack up something yourself) before worrying about your plain text password file. If someone has access to your system you are screwed anyway. Don’t blame others because you don’t know shit.

    3. Look for a solution first: e.g. Evrim wrote a nice article about this: http://www.evrim-sen.com/html/filezilla-password-protection.htm

    4. Be constructive please, go find a solution, and put it up online for others to use, just like Evrim did. (eg. you could use keepass, double click the password of your ftp entry, paste it in the password field when FileZilla asks for it. Keepass clears yours clipboard after 12 seconds, and your passwords are stored safely, and encrypted.)(I see Aidan also put this solution in his comment, but there are many other ways you can secure a plain text file.)

    5. @Keith saying “I was subject to some malware which has just taken the plain text passwords from sitemanager.xml”. Dude how did you get that malware on your (secure) system in the first place? Oh really, you downloaded some (cracked) stuff for personal use on the system that should have been secure, really??

    6. @Michael saying “I keep waiting for someone to write a free, Windows-compatible FTP client that doesn’t suck, but I have yet to find one. Thanks for the heads up. I’m ditching FileZilla.” Michael FileZilla does not suck, you are the one that has a lack of knowledge, you should blame yourself.

    7. @dizt3mp3r saying “My advice: do NOT install Filezilla. If you have it installed, remove it now, the security of your websites is seriously at risk.” I would never take advice from somebody who does not know what he is talking about. I also would not give advice if I did not know what I was talking about myself. The security of your websites are also not at risk, because of FileZilla, but they are because of you not knowing what you are doing. If you would know, you would not giving such advice.

    8. @anonymous saying “Awww fail security experts are fail… you tools.” …exactly what I thought..


  23. So, let me get this straight, you’re really concerned that a password is stored in plain text on the file system. Wouldn’t it be more of a security problem is someone could get to this area? The Filezilla password would be the least of your problems.

  24. There are some real twits here not listening but feeling free to comment – Bart.

    Let me explain – I am a system administrator going back to 1986. So, I reckon I know what i am talking about.

    There is no question about it, this one flaw in filezilla is enough for any potential user to drop the program like hot cakes, immediately. It is almost acting as a trojan allowing any hacker to access your sites as long as they can access your PC. Hackers are incredibly clever and resourceful and I know for a fact that they see filezilla as an open resource for harvesting passwords en masse.

    Avoid it.

  25. Hi,

    Just to let you know. My websites have been hacked into and I strongly suspect that they got my passwords from FileZilla xml file. They kept hacking my websites even after I changed passwords. FileZilla is the client I use, and Im gonna drop it immediately.

    I was wodering how they are able to get into servers, and now I know.

  26. Keeping password in plain text is the only feature I am seriously considering to drop Filezilla all together. I still somewhat understand the point of FTP being clear text hence the password is in clear text. But even this is stupid IMHO. Master password or simple encryption would be sufficient.
    But common, what is the reason to keep SFTP and FTPS passwords in clear text? Just simply bad decision.

  27. For some time I really liked FileZilla because it was great to use and no problem to get lost passwords back. But then few of my pages got seriously hacked ( well, actually r*ped). Different hosts, passwords weren’t saved or written anyplace else. So I came to this security issue and for last years I use Winscp.

    What I’m really bugged about is that in overall Filezilla is really good tool. But since 2008 (first serious topic about this in Filezilla forum) they haven’t added ability to encrypt passwords. But in time when websites are being hacked more than ever, you just can’t have plain text login data.

  28. I see its possible too encrypt it …

    I use in the most cases total commander as ftp client and they store the configuration like this


  29. I’m not sure when it was implemented, but in the latest version you can select “Do not save passwords” in the settings under ‘Interface’. After doing so, clear the Quickconnect history and restart. When connecting to a server you are prompted for the password and given the option to retain the password until Filezilla is closed.

  30. For OS X users the file locations will be something similar to /Users/username/.filezilla/recentservers.xml and /Users/username/.filezilla/sitemanager.xml and even for SFTP connections the login credentials are still saved in plaintext. Without wanting to be critical of Filezilla’s developers, the only sensible way to save login credentials is in the keychain and I would hope that anyone developing for OS X would know that (hint to Filezilla developers: Google “KeychainItemWrapper example”). Perhaps the fault is all mine – I should really be using key authentication anyway rather than passwords, but I don’t always get that option.

Leave a Reply

Your email address will not be published. Required fields are marked *