Where are these stored on a vista machine?

I got my hands on a Vista box, found the folder and added it to the list of directories above.

Thanks, Sam

[...] Nota: vedo che anche altri hanno parlato del problema password in chiaro. [...]

I hate to burst your bubble, but FTP passwords are transmitted in plain text anyway, and filezilla is open source. Even if they did use weak encryption, it needs to be reversible by design, and the reversing code would be (and has been) freely available right in the source distribution. Actually, they could simply copy your XML files over their own Filezilla installation and connect using your credentials. If someone wants to get into your account, and they have access to your XML files, you’re screwed either way.

What *should* be implemented is an option to not store the password, and have the application prompt for it when needed. FlashFXP does this, where if you leave the password box empty, it will pop up when you try to connect. It doesn’t get saved, and even if you reconnect during the same session, it prompts you again.

That way, you can safely FTP from a public location without exposing your password. A person could still sniff the IP traffic, but that’s a bit more involved than merely copying a text file, and much harder to pull off without getting caught (unless you’re the sysadmin).

My bubble is in great shape – I’m well aware that FTP is plaintext and Filezilla is open source. My point is that it is now too easy to see passwords, simply glancing at a file in a text editor. You’ve got a point that someone could just copy the xml files over their own installation but the difference here is that anyone can read plaintext, it takes someone with some knowledge + effort to go beyond that.

I’m not worried about the pros and the overeager who would sniff my network nearly as much as the junior script kiddies who would gladly slurp plaintext but shy away from some simple decoding.

Optional password storage would make a lot of sense, it is a bit presumptuous although convenient to store recent logins.

Personally, I’m glad the passwords are stored in plain text. I deal with a lot of ftp servers, and some accounts we’ve had for so long we (and the other sysadmins) have forgotten what the passwords were. I know, document stuff better, but people don’t. Plaintext passwords saved the day.

I’ve recently switched from LeapFTP to FileZilla, and I don’t plan on switching to anything else for quite sometime. I had to use a password revealer to get my ftp accounts imported into FZ …

I actually came here looking for the location of the xml files, because this morning I had to tell a client what account / password we were using to access their ftp server. Thanks for posting the location, as I seemed to be unable to locate them on my own. Windows Search failed me

Yes, of course the FTP protocol do is transmission in plain text, but their is a difference between the theory and the real world.

In the real world, my data collector will be happy to search and extract password from files that store them in plain text ( in every filezilla installation ) of the machines that I may hack.

And nop, most people doesn’t encrypt their home directory. And a new password otften lead to new – higher – level of access.

So yes, their is a big difference between putting a Man in the Middle attack that require to be at the good place at the good moment, and simply take a file and having access to the last X month of login history.

“If you don’t trust your root, don’t use the system” -> what about: never trust anyone ?

I was just over at the FileZila site asking about this and a thorough read reveals that not only does the sole developer refuse to do anything to help, he actively stifles discussion of the matter after blaming everybody and everything else for the problem

My recommendation is to remove FileZilla from your system if you are responsible over any web site because though you were a target for hackers before, you have just become a PREFERRED target because of the attitude and actions of Tim Kosse, the developer of FileZilla.

This story is about FTP passwords. What about SFTP?

[...] face troianul asta? Fura parolele de ftp memorate de Filezilla (sunt salvate in clar intr-un xml) si Total Commander (parole criptate reversibil) – probabil si alti clienti de ftp – si [...]

That it is transmitted in plain text is a silly excuse if you ask me.

IF the user wants to store the password then the application should do its best to protect the user and in this case it means to use reasonable encryption which is not rocket science anymore.

Now anyone can just open the archive and steal your passwords, in fact malware and viruses steal passwords this way.

Shameless omission! being open source is no excuse for laziness.

Why not do what Firefox does and have a master password and use that to create a hash and key to decode the stored (encrypted) passwords?

This is a major security risk and should be handled.

I’ve just had 6 sites hacked due to this vulnerablity. I run all sorts of security measures on my PCs, but it was so easy for the malware to pick up the plain text host, user, and password info from the FileZilla xml file that it was sent to the hackers before I could even flick my WiFi switch off! Literally – I was stunned by how quickly it happened. Although the sites were hacked within 24hrs, luckily I spotted it before my sites were blacklisted as their hacks loaded the sites with malware.

Read the FileZilla forums and see how their “admin” deals with such queries – quite frankly, the tone of his responses to their users would stop me using FileZilla even without this recent event!

If you don’t want all your ftp account details to land up in the hands of some hacker who will ruin your websites, DON’T USE FILEZILLA – even if your machines are like Fort Knox!

FileZilla’s “admin” response to users caught out in this way – “don’t use Windows”! Sorry?….I’m sure I was using the WINDOWS version of FileZilla? Really, I urge you to read their forums (search for encrypt and/or hacked) and you’ll soon see that FileZilla’s developers are not people whose software you would want to use.

I wish I’d read your original post 10 days ago – it would’ve saved me SO much hassle and a stack of work changing accounts and loading site backups. Thanks for bringing it to others’ attention though! Please, please, please, heed these warnings – however “safe” you believe your machines to be!

Paul

If you’re using FTP in a public location, this is only one of your worries. If you administer the workstation, use the fzdefault.xml file in the /docs/ folder and change the kiosk mode parameter to 1 or 2 so that it doesn’t save this info.

Additionally, you can use the fzdefault.xml file to tell FileZilla not to check for updates, which is usually a nuisance on a public machine anyway.

I too came to figure out where the passwords were stored. My passwords are very strong, and I sometimes forget them. Thanks for the tip.

(FTP isn’t secure anyway, packet sniffing on wifi networks, many of which are wep, is easy enough. Use SCP if you want security.)

I keep waiting for someone to write a free, Windows-compatible FTP client that doesn’t suck, but I have yet to find one.

Thanks for the heads up. I’m ditching FileZilla.

First thanks UT for this post! I agree with all you said about Filezilla and the storage of passwords. This has woke me up and I’m evalutaing my whole password strategy.

So what FTP program do you recommend for Windows?

I would assume you recommend to start using SFTP?