10 Years Later: FileZilla Adds Support For Master Password That Encrypts Your Logins

An anonymous reader writes: "Following years of criticism and user requests, the FileZilla FTP client is finally adding support for a master password that will act as a key for storing FTP login credentials in an encrypted format," reports BleepingComputer. "This feature is scheduled to arrive in FileZilla 3.26.0, but you can use it now if you download the 3.26.0 (unstable) release candidate from here." By encrypting its saved FTP logins, FileZilla will finally thwart malware that scrapes the sitemanager.xml file and steals FTP credentials, which were previously stolen in plain text. The move is extremely surprising, at least for the FileZilla user base. Users have been requesting this feature for a decade, since 2007, and they have asked it many and many times since then. All their requests have fallen on deaf ears and met with refusal from FileZilla maintainer, Tim Kosse. In November 2016, a user frustrated with Koose's stance forked the FileZilla FTP client and added support for a master password via a spin-off app called FileZilla Secure.

It's Open Source

"Criticism" huh? Well it's free - why is the developer obligated to do anything? Don't like it? Fork it and add your own functionalty. It's pretty fucking arrogant to think the developer is on the hook to add your oh-so-desired feature when you're not paying him. Reminds me of that Louis CK joke about people that complain about less-than-perfect cell phone service - "Climb some trees with some hubcaps and you make one"

Re: It's Open Source

Normally I'd defend the developer, but not in this case. FileZilla took advantage of users and potentially harmed them by participating in the DevShare program. That said, it should have been forked a long time ago to cut out a developer participating in DevShare.

Re: It's Open Source

I'm not disagreeing with you at all (in fact I completely agree), but SF dropped DevShare last year. However, I'd bet BizX comes with it's own boatload of issues.

Re: It's Open Source

[Joce640k]

Why would anybody still use it?

It turned into spyware years ago and WinSCP is 3000% better.

Re: It's Open Source

Spyware? What? Do you have *any* proof for this? I run a firewall and I never noticed FileZilla connecting anywhere else than the SFTP sites I'm using (I have auto update checks disabled).

If you have viable proof, please post. Otherwise don't spread FUD.

Re: It's Open Source

And WINSCP is absolutely not better. The plaintext password issue was my only real concern with FileZilla, otherwise it's extremely convenient imho.

Kushner - TOO LATE FOR HIM

Encrpypt using Russian gear? You are a fuhl!

I use WinSCP now

[nctritech]

I've found WinSCP to be better than FileZilla especially since so many providers offer SFTP now anyway. I don't store my passwords so the master password thing is not an issue to me. Don't store passwords if you don't want them to be found.

Re:I use WinSCP now

[antdude]

Can it resume downloads and uploads?

Re:I use WinSCP now

I've never managed to get WinSCP to transfer faster than 800Kb/s. I switched to FileZilla and get full bandwidth.

Re:I use WinSCP now

[0111+1110]

Also WinSCP is not Adware. Some people may prefer Filezilla for that reason. Filezilla is better if you like being served ads. WinSCP does not include Astromenda.

Re:I use WinSCP now

[TheOuterLinux]

FileZilla can do this. You right-click on the Queued Files section and select Export. It will save an XML file with all the queued items. Then, all you have to do is go to File-->Import and then right-click on the Queued Files section again and select Process Queue.

Re:I use WinSCP now

[TheOuterLinux]

Where are you getting your FileZilla from to have adware? Neither my Mac or Linux system's versions show ads, and I'm getting it from here: https://filezilla-project.org/. Maybe it's just a Window$ thing?

Re:I use WinSCP now

[antdude]

Interesting! So, it can resume transfers for SCP? I will need to check it out again.

Re:I use WinSCP now

the resume feature is not depending on filezilla client, it's a server feature, that should be enabled..

Re:I use WinSCP now

[Zocalo]

At a guess, SourceForge, or maybe some other third party download mirror site with similar practices, and yeah, AFAIK, it's mostly a Windows thing. SourceForge - and others - went through a period of bundling crapware with tools being downloaded from them, and since they were a popular means for small projects to offset bandwidth costs a lot of projects got bitten until they were forced to provide an opt out - and FileZilla the poster child for projects involved. There was an outcry, as you'd expect, but I have no idea which the mirror sites stopped the practice or not because this pretty much killed my use of them for downloads (sorry, small projects!), but I believe most mirror sites that are claiming to be reputable either no longer do so at all, or at least provide projects an opt out.

Re:I use WinSCP now

you're full of shit, dude.

maybe you're too fucking stupid to know better than to click on ads in google search results that link to bogus malware infested download sites?

Re:I use WinSCP now

[nctritech]

Yes. It will see the partial file and ask you if you want to resume or restart from scratch.

Re:I use WinSCP now

[LVSlushdat]

AND if you don't use Windows anymore, WinSCP is a non-starter, and as far as I'm concerned, Filezilla is the best ftp/scp/ftps client for Linux....

Re:I use WinSCP now

[0111+1110]

Yeah I guess it's a Windows thing. The developers wanted to make some extra cash with bundled adware, but I think they left Linux and Mac users alone. The Windows version still has the bundled adware when you download it from the link you posted.

The only way to avoid the adware on Windows is to compile the binary yourself from the source code or maybe use the Chocolatey package. There used to be download links that avoided the malware infected versions but those were taken down a long time ago. Presumably because the devs wanted to maximize their adware revenue. Every time someone downloaded the adware free version they probably figured they were losing money.

The bundled adware is not any sort of accident. The devs admitted as much a long time ago. They wanted to make money. I don't understand why people give the Filezilla devs a pass for going the adware/malware route. Maybe because they left Linux users alone or because they kept it open source. IMO though they are still dicks.

Re:I use WinSCP now

[antdude]

Cool. In the past, I wasn't able to resume download and upload files with SCP, SFTP, etc.

Re:I use WinSCP now

[nctritech]

You can use it with WINE and when Linux was my primary desktop OS I used to use gFTP or lftp instead.

Re:I use WinSCP now

In FileZilla's case, it was the program author himself who opted in to bundling the adware. He could have said no, but made an intentional choice to include the adware and was dismissive and hostile to complaints about it. I switched to using PuTTY's pscp at that time.

Re:I use WinSCP now

[TheOuterLinux]

I haven't used Window$ since 2008 unless forced to in an office/mdeia center environment. When I see things like this on a Micro$oft system in an environment with a lot of people, it doesn't shock me at all. However, every now and then when I see a friend showinf off their new laptop, I cringe and complain about what they are using, yet they expect it from a Linux user like me. In other words, freemium/adware/30-day trial is socially excepted, even though they are paying $900 for a laptop on top of being locked into cloud computing software and everything else. That's probably why Linux users never complained all that much since we can just take the source code and fork it without ads. A few people did that for the Window$ version, but it never took off and with the Window$ Store becoming popular, it never will.

Re:I use WinSCP now

[indi0144]

[citation needed]

The news was the Sourceforge was adding adware to the packages and the one that caused the outrage was FZ. Is not the developers that added the adware on their side, they might have signed up for the Ad program offered by SF which they dumped once they realized whats was all about.

Also because I even got to download one of the bundled installers for FZ on windows and the AV picked the Adware package. Easily removed with 7z and FZ installed cleanly afterwards.

Transmit

[Idimmu+Xul]

Filezilla is so behind the times I switched to Transmit on the mac and have never looked back

Re:Transmit

[93+Escort+Wagon]

Filezilla is so behind the times I switched to Transmit on the mac and have never looked back

$34 seems like a bit much for an ftp/sftp app...

Re:Transmit

[SeaFox]

Possible responses:

1) He's a Mac user. He's used to overpaying for basic functionality.
2) If he was a Windows user, I bet he would have paid for WinRAR, too.

Re:Transmit

[TheOuterLinux]

Cyberduck is free and open source and very easy to use if you need a Mac client.

Re:Transmit

Tried Flow? Love it.

Re:Transmit

You forgot one:

3) I make a enough money that it makes sense to invest in decent software (such as macOS, for example) that saves my precious time.

Re:Transmit

[thegarbz]

Behind on the times? What is it that Filezilla is missing? A frigging like button or something?

Re:Transmit

Correction: You make enough money to unwisely invest it in deficient software (macOS, for example) which requires further monetary investment to bring it up to a level of basic functionality (FTP, for example). No time was saved.

Does anyone...

Still use FileZilla? For real, I'm curious. I haven't heard of anyone using it or talking about it in what feels like a decade.

I am frequently befuddled at what Slashdot decides is good content. An editor hurting to hit their end of month quota for articles?

Re:Does anyone...

[MightyYar]

My whole company has standardized on it. I can go to any PC in the building and find Filezilla. To be fair, they standardized on it perhaps 7 years ago. But hey, it still works.

Re:Does anyone...

[tonique]

Our corporate software center allows all users to install Filezilla with just two clicks! I think it might be there because some employees use it to transmit big files to clients. Ok, honestly, I don't know why it's there.

Do you have a point?

"Criticism" huh?

Yep. It's free and easy, and sometimes even helpful.

Well it's free

Yep. Free software. Yay.

why is the developer obligated to do anything?

The developers are not obligated to do anything.

Don't like it?

I don't use Filezilla and do not have a strong opinion regarding this feature.

Fork it and add your own functionalty.

It looks like that is what solved the problem.

It's pretty fucking arrogant to think the developer is on the hook to add your oh-so-desired feature when you're not paying him.

That would be pretty arrogant. Do you or anyone you know feel that way? Or are you just creating a strawman so that you can argue against it?

You didn't say this exactly, but you seem to be implying that nobody should be allowed to criticize free software. If you were to say that, I would say bullshit, if you don't want your work criticized then don't share it. Everyone is free to give their opinion, to which you can choose to utilize it to make a better product or you can ignore it.

Re: Do you have a point?

The point is this article reads like it's trying to publically shame the developer into having done something (who they call out by name, and say constantly refused to add this feature, as if this is relevant). Seems silly to me. If you don't like it, find a better tool. Don't try and shame the developer into adding features you want, security or otherwise. they work for free. The OSS "community" tends to have a hard-on for these types of things. I especially see this with regards to adding support for HTTPS, etc. to software because all developers are supposed to be altrustic when it comes to securiy for some fuckall reason. If you don't like it don't use it, simple as that. You don't have a right to complain about not having something you didn't pay for.

Re: Do you have a point?

[Vlad_the_Inhaler]

Naming the developer is less of a deal here than you think - he has been notorious for years because of his stance on this matter. He has rejected patches from third parties trying to fix the deficiency, something which finally led to the fork a year or so ago. Oh, the person who forked the project had suffered a breach where the lack of this feature was a major contributing factor.

I don't use FileZilla and never have, but for me the whole sordid tale raises a question mark against projects of this kind: Any project of this nature is substantially ego driven, the programmer is donating time and energy to provide a service. The problem is when that ego leads him (99% are male) to leave unnecessary deficiencies in the "product"? I'm running an old linux distribution on a machine in my internal network because an important tool was updated around 18 months ago to remove support for something I use a lot. It is a personality clash between the owners of two projects. My old version works.
Look at the decisions Firefox has made recently, I consider some of them to be sabotage, vandalism.

Re: Do you have a point?

Someone thanked the developer for adding this feature (after filing a request for it 9 years ago), and he replies

"I'm glad you like a feature that doesn't even increase security."

I hope to never meet or interact with this person, as it is highly frustrating to even read about this interchange from my position of removal (not a filezilla user).

Link here: https://forum.filezilla-project.org/viewtopic.php?f=3&t=64&start=1005#p156191

Re: Do you have a point?

[misexistentialist]

it's his personality, can't take it personally because he is consistent

Re: Do you have a point?

Well, if you carefully read its algorithm description, it's a lot of cryptographic mumbo-jumbo for nothing more than a key simply derived from the master password; there is nothing really added by its EC or AES use. I think he invented it as a joke for the ones willing "more security" through this pseudo-security measure, and now they are pleased because they think it looks complicated, thus it must be very "secure".

Holy crap

[93+Escort+Wagon]

By encrypting its saved FTP logins, FileZilla will finally thwart malware that scrapes the sitemanager.xml file and steals FTP credentials, which were previously stolen in plain text.

You've got to be kidding me.

Re:Holy crap

[PrimaryConsult]

Thankfully pidgin has disappeared into irrelevance with the rise of cell phone messaging; they still store their passwords in plain text.

Re:Holy crap

Yes. They did. I was surprise to find that out a few years back.

Re:Holy crap

Yes, how dare they use XML when they could have used SQLite and JSON like Firefox or instead do it like Chrome on Windows where Microsoft is expected to do the right thing.

Storing passwords on a system where those passwords can be accessed by software without user interaction doesn't strike me as very secure. Then again, if malware is on the system you probably have already lost, so the keychain encryption schemes help against attacks on turned off/logged out devices.

The integration of a password manager sure is a convenient thing, though. Good on them for finally implementing that.

Re:Holy crap

THEY (the original Filezilla devs) DIDN'T do that... Someone else forked Filezilla and added that feature.. Read the article ffs

Re:Holy crap

[SeaFox]

Pidgin became irrelevant for two reasons -- in the following order chronologically:

1) The developers only wanted to add features they personally were interested in, and their desires didn't correspond to those of anyone else who used the program.

2) IM networks taking protocols private.

really?

filezilla's still a thing? its 2017 for christs sake.

I'm waiting for Archie and Gopher version

[goombah99]

who uses FTP? isn't SCP the thing?

Re:I'm waiting for Archie and Gopher version

Everybody uses FTP. What kinda dildoe are you?

Re:I'm waiting for Archie and Gopher version

[dissy]

who uses FTP? isn't SCP the thing?

Filezilla does SCP as well as SFTP, and FTPS.

There are less and less things using plain FTP, mainly anonymous public file repositories.
But they support full FTP authentication none the less.

Since the vast majority of the transfer protocols it supports are encrypted specifically to not send your password in plain-text, it is fairly important to store them encrypted locally too if you will be storing them at all.

Makes little since not to store FTP passwords right along with the others in the same place and would be silly not to.

Personally the last time I used FTP sending a password was to upgrade the firmware on a network switch I had connected via cross over to a laptop, and it was the default user/pass from the manual. In that case the firmware upgrade required blowing away the config and starting over, so it made little sense to change the password ahead of time when I'd need to do it again after.
Since this was before deploying the hardware, and in the fully configured state FTP was disabled completely, I don't feel it is fair to consider such a usage as insecure.

Filezilla = Adware

[0111+1110]

Yawn. Who cares. Filezilla is adware. It is *not* free software. Does anyone still use it? Why bother when there is truly free software that works just as well or better.

Re:Filezilla = Adware

It is *not* free software

Yes, it is. On the main site I can download the source code and compile it, something I've had to do when the pre-built Linux binaries didn't work on older distros. The software license is GPL v2.

How the fuck is it NOT free software? If you're still referring to it as adware, I'm assuming it's because of the partnership with SourceForge which bundled adware in certain versions of the software (of which you could easily still download a clean version if you knew what you were doing). That program ended quite a while ago. Of course, you'd know this if you bothered to be more understanding and check if what you actually typed matched reality, but that's too much work. Hatred is easier.

Re:Filezilla = Adware

[Zocalo]

FileZilla has its faults, but being adware is NOT one of them. It was one of many victims (GIMP and VLC were others) of third party mirror sites like SourceForge that decided to make some additional money by bundling crapware with downloads, often without the knowledge of the projects involved. Unless you've been sourcing your software from a particularly shady mirror site, this bundling was usually made pretty clear during the install process, such as the screenshot in the link.

Re:Filezilla = Adware

[thegarbz]

So you clearly don't use Filezilla.

Re:Filezilla = Adware

[LVSlushdat]

I use Filezilla extensively on Linux and I gar-on-tee you theres NO ads here.... Couldn't say about the Winblows version, as I quit fucking with Microsoft crap over 7 years ago.....

Re:Filezilla = Adware

[0111+1110]

How the fuck is it NOT free software?

Well I guess it's free in the sense that all malware is free.

If you're still referring to it as adware, I'm assuming it's because of the partnership with SourceForge which bundled adware in certain versions of the software (of which you could easily still download a clean version if you knew what you were doing).

In all versions. There are no longer any binaries available that are not adware/malware. Yes what you are saying used to be true some years ago, but it is not true anymore. Also don't blame Sourceforge. Filezilla specifically chose to have Sourceforge bundle the adware because it makes money for them. They openly admitted it and had no plans to make any changes despite the complaints.

Yes if you are willing to go through the trouble of compiling the code yourself you can avoid the malware but not many people are going to go through the trouble.

That program ended quite a while ago.

Go find me a link to a Windows binary of the latest version of Filezilla that does not have the bundled adware. Good luck with that.

Re:Filezilla = Adware

Actually, the maintainer of FileZilla repeatedly defended this practice of SourceForge in their forums. He also made money from the bundled software. He insisted repeatedly in the forums that it was not malware, and that people were free to choose not to install them. I think *technically* they were not malware, but they were certainly unwanted by the vast majority of the people who installed them.

I do believe that the program has been ended (by SourceForge's action, not by FileZilla), but FileZilla does now have ads on the new version screen. I think it is fair to call it ad-supported.

Re:Filezilla = Adware

Actually, if you click on "Show additional download options" on the download page, it will take you here: https://filezilla-project.org/download.php?show_all=1

Which are the regular install wizard, minus the bundled adware.

Not using SCP?

[Cmdln+Daco]

I wince any time I have to access a logged account on a server with FTP. Isn't the password sent over the wire unencrypted? FTP has been replaced by SCP for a reason.

If I am wrong please correct me.

Re:Not using SCP?

Is this even a worry anymore? Other than having a compromised router somewhere along the line how would someone intercept your credentials?

Re:Not using SCP?

[Frosty+Piss]

I wince any time I have to access a logged account on a server with FTP.

For anything other than, for example public FTP software downloads, most people who use FileZilla use SFTP. The fools at WordPress still use FTP for auto-updating. Though SFTP is an option, noobs will probably use FTP.

But why do hosting companies even allow it? It's got to be a HUGE vector, and although hosting companies generally will not take any responsibility for hacked sites that they host (and why should they), it's got to be a Help Desk pain in the ass.

Re:Not using SCP?

I wince any time I have to access a logged account on a server with FTP.

For anything other than, for example public FTP software downloads, most people who use FileZilla use SFTP. The fools at WordPress still use FTP for auto-updating. Though SFTP is an option, noobs will probably use FTP.

But why do hosting companies even allow it? It's got to be a HUGE vector, and although hosting companies generally will not take any responsibility for hacked sites that they host (and why should they), it's got to be a Help Desk pain in the ass.

You are absolutely correct, and the reason we still support it in the hosting business is that the customers demand it.

Re: Not using SCP?

Someone running wireshark on your network. A packet sniffer on your work LAN. A nosy sysadmin.

Re:Not using SCP?

[freeze128]

How is FTP *MORE* of a pain in the ass to the helpdesk than SFTP? The only thing they have to do is manage password resets. It's just as easy to do that for FTP as it is for SFTP.

Re:Not using SCP?

SFTP does all its communication as a single client-server connection to port 22, which is simple. By comparison, FTP requires separate control and data connections, the data connections may be opened from client to server or from server to client, depending on whether active or passive mode has been selected, requires that the IP and port for these data connections be correct for the external rather than internal addresses, and thus can play havoc with stateful firewalls and NAT, especially where home routers are involved. None of these topics are particularly easy to broach with an average customer. In short, FTP is orders of magnitudes more of a pain in the arse than SFTP.

That you don't appear to know this and yet feel free to opine on the matter tells me that you need to turn in your geek card at the door immediately, and leave Slashdot forever. Never come back.

Re:Not using SCP?

[Frosty+Piss]

How is FTP *MORE* of a pain in the ass to the helpdesk than SFTP? The only thing they have to do is manage password resets. It's just as easy to do that for FTP as it is for SFTP.

From the resulting account hacks was my thinking, but I can't confirm that.

Re:Not using SCP?

[Frosty+Piss]

That you don't appear to know this and yet feel free to opine on the matter tells me that you need to turn in your geek card at the door immediately, and leave Slashdot forever. Never come back.

I would tell you to go fuck yourself, but as you are an over-weight neck-beard situated in a darkened basement where you consume copious quantities of Mountain Dew and Cheetos, I assume you already fuck yourself.

Re:Not using SCP?

Ah, hilarious - I think I've been harsh and check back in to rectify the situation and find that little gem instead. So new, so original.
So in answer to your question, unfortunately not, you missed the mark. How about yourself?

I was going to rephrase that to "if you have mixed up FTPS and SFTP then that's understandable".

However, in light of both of our performances, let me also add "if you want to learn, then leave Slashdot and never come back. Slashdot stopped having any geek cred and has been a hole for the over-opinionated and clueless for over 10 years now, there is nothing of value here."

Cheers!

Re:Not using SCP?

[Frosty+Piss]

Cheers!

How pretentious. Are you enjoying your quiche Lorraine and over-oaked Chardonnay?

Hard to believe

[n3r0.m4dski11z]

The fact that they have near daily updates (Basically every time i turn on filezilla, there is a new client), I am extremely surprised that they wouldn't handle feature requests promptly. What the hell are all the damn updates for then?? NO software can be THAT buggy!

But back in the day, I do remember them implementing a suggestion I pushed for which was the addition of autoban. So I considered them quite responsive.

And for saying "filezilla is DYING!" that hasnt been my experience. I thought it was considered the de-facto standard because: 1) they offer a client on virtually every platform and 2) its the ftp client that ninite installs. Most people who arent using filezilla, are using browser based FTP and locking out their accounts with unstandard behaviour. So i like being able to tell literally anyone, to just go to one website to get a great free ftp client.

I personally don't save passwords in an ftp client in the first place. Perhaps that was why it was not a popular suggestion. The people who are concerned with security enough to know what a master password would do, and yet still want to store their passwords inside the program instead of in their head or document, has got to be a small group. I know its envogue for password managers now and maybe thats why he implemented it.

This is really just a positive story for open source software in general. You can have a program constantly maintained for so long that it can accumulate 10 year old feature requests that ACTUALLY GET IMPLEMENTED! hooray!

Re:Hard to believe

You don't have to explicitly ask Filezilla to save your passwords for it to do it. By default Filezilla saves a history of all your connections in the "quick connect" bar. Every login credential you've used is saved in plaintext on the harddrive unless you clear your connection history.

Despite years of requests for password encryption and even malware specifically targeting the Filezilla password files the developer refused to add password encryption because keeping your OS secure "isn't his job",or some nonsense. It wasn't until FileZilla Secure forked the software and implemented this feature ~6 months ago that the developer suddenly changed his mind.

Typical

I bet the developer still refuses to add auto upload on save for external third party editors like every other FTP client has had for at least a decade.

Re:Typical

Maybe it's time for another fork..

But did they get it right?

did they encrypt passwords only, or addresses and account names etc. as well?

Re:But did they get it right?

From the article it looks like they're only encrypting the password. The fork filezilla secure encrypts the whole saved credential file.

Read the forum threads

And grab some popcorn! Its great entertainment.

I guess the dude doesn't realize that no security is perfect. You don't need to be the best, you just don't want your tool to be low hanging fruit for for easy automated credential theft.

Maybe he'll get chased by a bear one day.

People is stupid

How anyone is using such a sensitive program as a file transfers' one written by a retard this big is just beyond possible comprehension.

I've never used it, but I've been on the receiving end of the retardedness after a graphics designer I worked with got all the FTPS/SFTP credentials he had stored in FileZilla, without the rest of the team knowing it (we told her to use WinSCP), stolen when her computer got infected by malware. Multiple sites were defaced and plenty of other issues had to be handled (spamlists removal, massive password resets, etc..) because an egotistical retard didn't want to implement such a simple and basic security feature.

Just concede your point.

Just concede your point.

It's free software.

SFTP

[DrYak]

I've found WinSCP to be better than FileZilla especially since so many providers offer SFTP now anyway.

Note that Filezilla support SFTP too.

I don't store my passwords so the master password thing is not an issue to me. Don't store passwords if you don't want them to be found.

Even better :
don't use passwords. Use Public Keys pairs.

(Filezilla supports them, and can use Putty's key agent to handle them)
(I'm sure that WinSCP can too, just didn't bother to check).

Best part : you can then completely switch off the support for password on the SSH/SFTP server.
Your server is then (obviously) immune to brute force / password guessing.

Maybe FileZilla Server can add SFTP support...

[rklrkl]

I guess there's still hope for FileZilla Server to eventually get SFTP support before I die. It's quite astonishing that this "obvious" feature of file transfer server software hasn't been implemented yet (despite the FileZilla Client having had SFTP support for years). I mean, it's "only" been 13 years since the feature was originally requested - easily beating the master password encryption feature request by a full 3 years. And, yep, someone recently suggested closing the SFTP feature request because Tim Kosse has done nothing about it for well over a decade :-(