We build stellar websites!

FREE 1 Hour Consultation!
RSS feed

Blog » An alternative to storing passwords in FileZilla or other FTP clients

One of my client’s websites got hacked recently but fortunately he was able to restore the website and tighten up security. He also discovered how the attack happened – his own computer got infected with malware which got access to a file created by the popular FTP client, FileZilla. That file contained his FTP connection details for his website, including password in plain text. Yes, FileZilla stores all the site connection details that you save in the site manager in a plain text XML file. This seems very unsecure. The FileZilla developers contend that it is the job of the Operating System to keep your information secure and that even if they encrypted it, malware authors would easily decipher it. However, I am of the opinion that encrypting the passwords would make it more difficult for the hackers and therefore would improve the security.

Personally, I’ve been storing FTP connection details in FileZilla’s site manager because I have so many websites to manage but now that I’ve learned that it is a security risk, I’ve looked into finding a safer approach.  The solution I’ve come up with is to use a password management tool called KeePass Password Safe to store the connection details instead of putting them into FileZilla. KeePass is a free open source application for securely storing and managing your sensitive login credentials. It also allows you to automate the steps for opening up an application and logging in to it. Using this feature I can store the FTP connection details for my websites and launch FileZilla directly from KeePass, making it almost as convenient as using FileZilla’s site manager but much more secure.

Automating KeyPass to work with FileZilla

Here’s how I set up KeyPass to make it automatically open FileZilla and initiate the FTP connection:

  1. I make a special group (folder)  for my FTP connections (this can contain sub folders to aid organisation)
  2. When adding a new entry, I set the URL field to:
    cmd://"C:\Program Files\FileZilla FTP Client\filezilla.exe"

    You can use Tools > URL Field: Select Application… to auto-populate this field for you

  3. Enter the ftp url as the title and the username and password
  4. In the Auto-Type tab, make sure Enable auto-type… is checked and Inherit default auto-type… is selected
  5. Edit the parent FTP group and in the Auto-Type tab enter the override sequence:
    {TITLE}{TAB}{USERNAME}{TAB}{PASSWORD}{ENTER}

Now when you want to connect to one of your websites:

  1. Open up KeePass
  2. Right click on the appropriate entry and select URL(S) > Open In Browser (or Ctrl + U)
    This will fire up FileZilla
  3. Flip back to KeePass and right click entry again and select Perform Auto-Type (or Ctrl +V)
    This will log you in to the account

Another Improvement – local & remote directories

One convenient site manager feature that’s missing from this approach is the ability to automatically set the local and remote paths once you’ve logged in. But even this can be accomplished using KeePass. My approach is to store the paths in two custom string fields. To do this, just go to the advanced tab on an entry and click the Add button to add the custom fields. I called mine Custom 1 and Custom 2.

Then change the auto type sequence that you entered in step 5 above to:
{TITLE}{TAB}{USERNAME}{TAB}{PASSWORD}{ENTER}{DELAY 1000}{TAB}{TAB}{TAB}{TAB}{TAB}{S:Custom 1}{ENTER}{DELAY 3000}{TAB}{TAB}{TAB}{S:Custom 2}{ENTER}

Note that there is a 3 second delay before changing the remote directory – this is to allow enough time for the connection to be established before attempting to change directories. You may have to increase this if you have a slow connection to your FTP servers.

Migrating from FileZilla Site Manager

If you are already managing a lot of sites in FileZilla Site Manager you can import them into KeyPass. Unfortunately there is not a direct import option but it can be done in a slightly round about way. KeyPass can import from a generic CSV file but FileZilla does not export to CSV. It does export to an XML file which turns out to be a similar file to the one it has already saved in your computer so you can simply track down that file (you will need to find that file anyway to dispose of it safely). This is stored in the application data folder. On Windows Vista and Windows 7 that file should be located at:
C:\Users\[username]\AppData\Roaming\FileZilla\sitemanager.xml
(for Windows XP try documents and settings/profile/application data/filezilla/sitemanager.xml)

To import this data into KeyPass you can follow these steps:

  1. Convert the XML file to CSV. I did this by importing it to Microsoft Access and exporting it as a CSV.
  2. Clean up CSV file – remove unwanted columns
  3. Import CSV to KeyPass
  4. Verify all data has been correctly imported
  5. Securely delete all files created in this process (I used sdelete)

Making FileZilla Safe – Kiosk Mode

In addition to storing site manager details in sitemanager.xml, FileZilla also stores the most recent connections in recentservers.xml and the latest connection in filezilla.xml. To stop it from storing any passwords you can put it into what is called ‘Kiosk mode’. This is not a menu option but a hidden feature that must be turned on in an optional XML configuration file called fzdefaults.xml. This will be located in the same directory as filezilla.exe, or if it does not exist you will find a sample file in the docs folder under the FileZilla installation. Just set the value of the Kiosk mode setting to 1 to enable it. If you are creating a new fzdefaults.xml from fzdefaults.xml.example, you can delete all the other settings and data from the file just leaving the Kiosk mode setting.

Then securely delete sitemanager.xml (with something like sdelete) or open it up and remove the passwords. FileZilla will overwrite recentservers.xml and filezilla.xml so those shouldn’t contain passwords anymore (but no harm to check).

PS.: The FTP protocol itself is insecure as it is unencrypted, but by using the system outlined above, it is closing off one more way that hackers can get into your websites.

Share |

30 Responses to “An alternative to storing passwords in FileZilla or other FTP clients”

  1. Chris Says:

    The Keepass (free) interface appears to have changed since this article was posted. I am not able make sense of the “Another Improvement” section. Any chance you could update it?

  2. Aidan Says:

    @Chris – these instructions relate to KeePass 2.1.3, the latest version of currently available. I have added a screenshot which shows where the custom fields are entered. Hopefully that clears it up for you.

  3. Pedro Says:

    The program works pretty well but I am having trouble with Kiosk Mode. I did everything and added the “1” instead of the “0” and for some odd reason filezilla still keeps making the recentservers xml file with all my info in it. I don’t know what I am doing wrong cause I have went over your instructions a few times already and it’s still not working. I also tried to remove everything from the xml file except for the Kiosk Mode & the <xml stuff but still nothing. Anyone ran into this problem?

  4. Aidan Says:

    @Pedro – check that fzdefaults.xml is in the same directory as filezilla.exe (at least that’s where it should be on my OS – Win Vista). Close all instances of filezilla and restart. If that still doesn’t work, do a search and/or post a message on Filezilla forum.

  5. Pedro Says:

    I’ll have to look for a solution but for now I just put the recentservers.xml file to read only so filezilla can not reach it, and deleted everything inside it. Every time I enter my server I get an error, I just hit ok and the program still works like normal, and when I check recentservers.xml it’s still empty and not re-written so this is a solution til i find a better one lol. Thanks for your help on KeePass :)

  6. Chris Says:

    Thanks for the reply. It was me who was using an older version of Keepass. Don’t know ho I managed that.

    I followed your instructions and everything seems to be in order. I created a new fzdefaults.xml from fzdefaults.xml.example and put it in the same folder as Filezilla.exe then securely deleted sitemanager.xml and checked/removed passwords from recentservers.xml and filezilla.xml.

    I then used Keepass to login to my 3 main sites. Afterwards I looked in C:\Users\[username]\AppData\Roaming\FileZilla\ and saw that a new sitemanager.xml file had been created. It contained the site host name and user names but not the passwords. The same info was in recentservers.xml). Is that how it should be or have I done something wrong?

  7. Chris Says:

    Correction. The newly created sitemanager.xml did NOT contain any host or user names. But recent servers.xml did contain this info, but no passwords.

  8. Aidan Says:

    @Chris, yes recentservers.xml does still store recent connections but no passwords so no worries

  9. FTP Saved Passwords threat « Imagine, Create, Inspire Says:

    […] An alternative solution for storing FTP passwords can be found here (http://sww.co.nz/an-alternative-to-storing-passwords-in-filezilla-or-other-ftp-clients/). However use this solution at your responsibility. I have not tested this […]

  10. Deann Reese Says:

    @Chris, yes recentservers.xml does still store recent connections but no passwords so no worries

  11. Sonia Klair Says:

    Hi There,
    Really very important information for all,definitely these method prevents hacking
    Thanks,
    Steven

  12. Jassady Says:

    I have found another way, maybe it helps:
    http://www.evrim-sen.com/html/filezilla-password-protection.htm

  13. David Hervieux Says:

    Hi,
    You can use Remote Desktop Manager to store your password safely for Filezilla. The Enterprise Edition also support to supply automatically your KeePass credentials to Filezilla.

    http://remotedesktopmanager.com/

  14. AG Says:

    Why not add an URL scheme override for ftp:

    cmd://”C:\Program Files\FileZilla FTP Client\filezilla.exe” ftp://{USERNAME}:{PASSWORD}@{TITLE}

  15. Aidan Says:

    @AG: Good suggestion. I had tried something like that before but as far as I remember, I didn’t get it to work (may have been a mistake in syntax) so I just went with 2 steps instead. But I just tried your suggestion and it worked for me. The only snag is that it doesn’t automatically change the local and remote directories, so to do that I would be back to the 2 steps. Any ideas how to accomplish that in the one step?

    Thanks for the tip!

  16. Alastair Says:

    Great post Aidan. I’ve been looking for something like this for a while now. It’s a super FTP client but the developer seems like the kind of guy I wouldn’t invite to a party. Filezilla is GPL, I wonder how difficult it would be to fork it and implemented some form of password encryption.

  17. Nicolas Says:

    The password is not copied in my Filezilla. I wonder why.
    It work’s fine with AG tips.

  18. AG Says:

    There is no Command-line argument for filezilla to change the localsite but the remote site is easy. Just add “/{S:Custom 1}” behind the URL scheme override for ftp

  19. Ramoe Says:

    @AG: your method works, but I think its better to use “ftp://{USERNAME}:{PASSWORD}@{TITLE}” for the URL field and override the ftp url in keepass with cmd://”C:\Program Files (x86)\FileZilla FTP Client\filezilla.exe” “{URL}”

    if you’re using keepass on another computer (where filezilla is installed elsewhere) you can edit the url override and all the entries will stil work.

  20. haRacz Says:

    Any idea how to connect to sftp server?
    Now it only works through site manager.

  21. Securing Filezilla Says:

    […] first is described in a post from Stellar Web Works, in which Aidan Curran explains how to use a password management program to store your information, […]

  22. Troy Says:

    Filezilla’s plain-text password storage should eliminate it from any web developers choice for use. Try Core FTP LE (or Pro). I like the program’s password protection feature.

    Although it is not a freeware application SmartFTP uses secure passwords via integration with KeePass. You need to download the KeePassRest Plugin for KeePass. If you are a web developer working with many clients than the ~$40 price should be acceptable to keep your login information secure and your mind at rest.

  23. Filezilla Security Issue | Travis Winn Says:

    […] http://sww.co.nz/an-alternative-to-storing-passwords-in-filezilla-or-other-ftp-clients/ […]

  24. gogo Says:

    i have filezilla in truecrypt and it workd just fine.

    to move the settings to the same encrypted container just add a folder settings into the same folder where filizilla.exe is at and move all files from “C:\Users\[user]\AppData\Roaming\FileZilla”.

    use fzdefaults.xml to tell filezilla where to look for the settings by: ” ./settings/

    done

  25. Wim Says:

    More security?

    Use ftpes://domain.com in the Title field to connect using a more secure FTP over SSL connection if your host supports this.

    Use sftp://domain.com as Title to connect using FTP over SSH if your host supports this.

    A simpler remote directory
    To set a remote directory simply put it behind the domain name in the Title field, ie ftpes://domain.com/public_html/httpdocs

  26. Wim Says:

    And another thing, Kiosk mode can now be enabled in the settings > interface panel.
    http://iptf1633nonv3867.zippykid.netdna-cdn.com/wp-content/uploads/2013/01/Disable-FileZilla-Kiosk-Mode.png

  27. Harry Says:

    Possibly more complicated than it needs to be, but I just did it this way:

    URL Scheme Override:
    fiz
    cmd://”{ENV_PROGRAMFILES_X86}\FileZilla FTP Client\filezilla.exe” ftp://{USERNAME}:{PASSWORD}@{URL:RMVSCM}/{S:REMDIR} –local=”{S:LOCDIR}”

    In the URL field:
    fiz://yourdomain.com

    This includes a local and remote server default directory in one command, requires filezilla 3.7.1 (came out shortly before I tried this, I’m very lucky!)

  28. Paul Says:

    cmd://”{ENV_PROGRAMFILES_X86}\FileZilla FTP Client\filezilla.exe ftp://{USERNAME}:{PASSWORD}@{TITLE}”

    pay attention to this mark -> ”
    I’ve grabed some code from one comment and somehow when i placed in keepass it was changed to very similar -> ”
    so I was geting some error… till I figured this out I lost plenty of time
    ohh and don’t forget to turn off auto-type in entry and group

    Thanks Aidan and AG

  29. Paul Says:

    Forgot to say I prefer one step as I have configured remote server by setting proper access in ftp account settings on my hosting provider

  30. Somi K Reddy Says:

    I have followed steps from 1 to 5 but when I launch the url it opens filezilla and doesn’t log into the unix server.

    Can you help me.

Leave a Reply

*

Loading Quotes...