Announcement

Collapse
No announcement yet.

FTP password retention

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • FTP password retention

    I'm somewhat disturbed by the discovery that existing, relaunching and reseleting an FTP location causes BC2 to reconnect without asking for password.

    Where is it storing the password?

    How to I prevent it from doing so?

  • #2
    Re: FTP password retention

    FTP passwords are stored in the registry at:
    HKEY_CURRENT_USER\Software\Scooter Software\Beyond Compare\FTP\Passwords

    BC does something to garble/encode them when they're stored.

    To clear saved passwords, select Tools|Options. Go to the FTP > Firewall / Proxy section. Click the "Clear Passwords" button.

    If you enter an FTP path directly using the form ftp://userass@server/, BC will automatically save the password.

    If you enter a username and password in the FTP browse dialog, it will also save the password.

    If you enter a URL without a password, such as ftp://user@server/, or if you only enter a username in the FTP browse dialog, BC will prompt you for a password. The "Enter Password" dialog has a "save password" check box. If you leave this unchecked, it won't save your password.
    Chris K Scooter Software

    Comment


    • #3
      Re: FTP password retention

      Did my reply to this of two days ago get vaped by an admin?

      Comment


      • #4
        Re: FTP password retention

        Chris,

        I don't think a post was deleted. I subscribe to email notifications of every post in this forum, and I didn't see any note about another post by you in this thread.
        Chris K Scooter Software

        Comment


        • #5
          Re: FTP password retention

          > FTP passwords are stored in the registry. ... BC does
          > something to garble/encode them when they're stored.

          That's a severe security vulnerability. I think you ought to warn about that in the UI.

          I cannot afford that risk. How do I disable BC2 from storing passwords in the registry?

          Thanks.

          Comment


          • #6
            Re: FTP password retention

            > I don't think a post was deleted

            OK, thanks.

            Comment


            • #7
              Re: FTP password retention

              There isn't an option you can set anywhere that will prevent BC from ever saving passwords.

              If you always connect to an FTP server using the method from my earlier post, it won't save the password:

              If you enter a URL without a password, such as ftp://user@server/, or if you only enter a username in the FTP browse dialog, BC will prompt you for a password. The "Enter Password" dialog has a "save password" check box. If you leave this unchecked, it won't save your password.

              Edit:
              I will add an option to prevent password saving to our list for a future release of BC.
              Chris K Scooter Software

              Comment


              • #8
                Re: FTP password retention

                I've documented the password retention for end-users here. We have to change our mainframe password every 30 days - 3 invalid attempts and you're locked out (and that could easily happen if you've told BC to save/reuse your password).

                From my/our point of view, I note the fact that the user should never select the "save password" option, but if they do, I've also documetned how they "un"able it.

                Comment


                • #9
                  Re: FTP password retention

                  > There isn't an option you can set anywhere
                  > that will prevent

                  Disappointing.

                  > I will add an option to prevent password
                  > saving to our list for a future release of BC.

                  Thanks. I suggest

                  (*) Don't save
                  ( ) Save until exit
                  ( ) Save indefinitely

                  I also suggest that the security of the current 'encryption' is embarrassing - to this user, if not to SS!

                  Comment


                  • #10
                    Are there any changes in BC regarding this issue?

                    My usage scenario:
                    - Portable BC
                    - Many FTP targets
                    - Encryption of portable media where BC resides is not reasonable in this case

                    Therefore, in my view, a reasonable solution would be to save all FTP access data in a single encrypted file under a master password control.

                    Yes, I know I could encrypt that with a third party software (for instance truecrypt, ore some other). Out of question for this simple purpose, sorry.

                    BTW, FileZilla has completely the same problem and apparently (according to some rather old threads) is not prepared to accept the necessity resulting from this simple usage scenario.

                    Are you willing to acknowledge the problem? Is there any development in this direction?

                    What are your thoughts?

                    Thank you.
                    Borut

                    Comment


                    • #11
                      Hello,

                      Increasing our encryption is something on our wishlist, but is not currently scheduled development.

                      My recommended solution is to encrypt the entire device if you are looking for a secure storage method, especially if you have multiple portable programs that all have the same lack of encryption you are looking for (Beyond Compare 3, Filezilla, and you'll likely add at least one or two more). A dedicated encryption solution will be able to account for any program, securing the entire device, and will likely implement a better solution than we could, as it is their dedicated purpose.
                      Aaron P Scooter Software

                      Comment


                      • #12
                        Could you please be so kind to announce here the availability of this feature in BC4. Thank you.

                        (Your suggested workaround is an overshot for my usage scenarios. Due to this vulnerability I have already replaced Filezilla with another portable FTP client that supports this feature.)

                        Comment


                        • #13
                          Hello,

                          This feature is still on our wishlist and has not been implemented yet. If we are able to implement it, we would make a note in our Changelog, and announce the version on the News and Announcements forum. Please subscribe there for announcements.
                          Aaron P Scooter Software

                          Comment

                          Working...
                          X