FTP Passwords Saved in FTP Client Software are Unsafe

Document Sample
FTP Passwords Saved in FTP Client Software are Unsafe Powered By Docstoc
					   FTP client software are used to connect to FTP server and to upload files or
folders to the server. When you sign up for a webhosting package, normally they
would provide you with a FTP login information for you to upload your website to
their server. It is very important to keep your FTP username and password safe
because if it falls into the wrong hands, they can embed malicious scripts to your
website infecting your visitors. Other than that, they can also delete your website
and upload a single index HTML file to show that the site has been defaced or

Unfortunately FTP is not safe at all. First of all, FTP credentials are transferred in
clear text and you can see the username and password by using a packet sniffer.
SFTP solves this problem but it is not very commonly installed on webservers. If
your webserver has SFTP, I suggest you to use it. The next thing to worry is how
securely FTP client software store your FTP password? If you didn’t know,
FileZilla, one of the most popular free FTP client software saves your FTP login
information to sitemanager.xml and recentservers.xml in clear text. Even if you
use commercial paid FTP client software such as SmartFTP which encrypts your
FTP password, it is still not very safe because there are recovery software that
can decrypt the encrypted password.

Most of the time a FTP password recovery software or a trojan is programmed to
instantly recover passwords. This is done by looking in the registry to find if a
FTP software is installed, then decrypt and reveal the FTP login information. Here
is one example on FileZilla to help you understand better. I downloaded the
installer and ran the setup. During installation I am prompted to choose the install
location. Even if I changed the default install location, password recovery
software can still find it because the registry reveals where FileZilla is installed!

One way to ensure that you are safe from such password recovery software is to
use a “portable” version of FTP client software. There is a FileZilla Portable that
can be downloaded from PortableApps. A portable version of FileZilla does not
write any information to the Windows registry, hence password recovery software
won’t know that FileZilla is installed.

Shared By:
Description: FTP Passwords Saved in FTP Client Software are Unsafe