Don't store FTP Passwords

Reva · Post by *Reva » 2003-02-13, 07:32 UTC

If you want to avoid the security auditors giving you a Red Alerts Don't store any FTP Connection properties In WinCmd, Reasons being:

1. There are tools available to decrypt the FTP passwords stored in wincmd FTP List.

2. With tools like SnabBoy Revelation, any moron can get to your passwords very easily (In-house hackers working on your server's).[Just launch SnabBoy Revelation and then open any Ftp connection properties details, Drag the SnadBoy Cursor onto the password edit box]

Download And try SnadBoy from: http://www.snadboy.com/RevelationV2.zip

Author might want to consider:

1. Having a separate Checkbox to remember the password or not.
2. Don't show the password "as it is" in the password TEdit of TDETAILS Form (basically Mangle the text property of TEdit).
3. Use some basic Crypto API Alogo for encrypting Password (might want to check the Algo's supported on win 9x)

Post by *ghisler(Author) » 2003-02-13, 12:02 UTC

The password is NEVER stored automatically, and there is a big warning that storing passwords isn't safe. It is mathematically impossible to store passwords in a safe way! Even crypto api wouldn't help, because it needs a PASSWORD to encrypt the passwords. The only safe method would be a master password, which would be requested from a user every time he tries to connect for the first time. Mozilla has such an option.

Reva · Post by *Reva » 2003-02-13, 12:16 UTC

Accept my apologies.....I didn't notice the warning before,may be you need to change the label color to red.