David: Does FileZilla store passwords in plain txt files?
So about a year ago I remember reading this very ‘serious’ post about how ftp clients like FileZilla store passwords in plain txt files and that there is this other type of ftp client that you really should use which is much safer. And this was picked up by tech sites I think.
Well I just remembered reading that and now want to find this type of more secure ftp client if this is all true. Does anyone have a clue what it was talking about?
Reply::
🙂 Toby
Yes they do. As a security professional, here’s how I look at it: those plain text files are stored on my local computer where I run FileZilla from. That puts you at far less risk than actually using FTP, which I’ll get to in a moment. Still, as a paranoid type, what I do is keep my passwords in a password manager. I use KeePassX (available for Mac, Linux, and Windows). It stores my passwords in an AES encrypted database that can only be opened with the master KeePassX password that I’ve chosen. KeePassX has features to automatically type usernames and passwords right into other programs (such as FileZilla) for me.
When you use FTP, your password is sent UNENCRYPTED from your computer to the FTP server. Anyone between you and the server can see that password go across the network with only a basic knowledge of how to capture network packets.
Instead, it is recommended to use FTP over SSH (also called SFTP), which is encrypted, and supported by FileZilla. If your server supports SFTP (not to be confulsed with FTPS, which is different), then you should use it.
Sending your password unencrypted over a network is far more risky than keeping it in a plain text file on your computer. And oh, by the way, the location where FileZilla keeps that text file is a protected folder. Only you or someone who has Administrator rights can get to that file.
What do you think? Answer below!
FileZilla Blog 