Encryption of saved passwords / favourites
Posted 21 December 2009 - 04:11 AM
What we want to know is if it is possible to create some form of encryption for saved passwords / favorites similar to how Mozilla handles it with a 'Master Key/Password' that you need to know to be able to de-crypt the passwords?
Posted 21 December 2009 - 04:45 AM
SmartFTP encrypts the passwords with a symmetric key that is stored in the application. A user defined key cannot be set and would not significantly improve the security. I would also not make much sense if every application you have installed would require a master key. And even then it is technically possible to extract the password from the memory with little effort because the password must be decrypted at one point or the other.
If you really want to improve the security use public key authentication with the SSH server. You can safely store the private key in the certificate store in Windows under normal circumstances. SmartFTP is able (as the only client we know of) to authenticate a user with a private key from the Windows certificate store that is not marked as exportable. The following article will help you to set this up:
The article does not cover how to create a new certificate in the Windows certificate store. Please let me know if you need more information about that.
Posted 22 December 2009 - 10:00 PM
That is a valid point you mention about how the master key would need to be stored in memory at some point - but still this would help reduce the impact of being infected and having everything stolen as you would need to open SmartFTP at some point of being infected for it all to be taken, rather then the instant you get infected. I know this would have saved us as it was around 4-5 hours after we suspect the machine was infected that Nod32 got an update and then removed it but by then it was too late.
We are building an internal application at the office to help with password management (as we look after many client's websites) and are using a master key setup to encrypt the passwords, however it only decrypts one at a time ie. when you want to view a password for a client then you type the master password to see that one password. This same idea could be applied to SmartFTP to reduce the impact as said above, but of course a keylogger would kill it pretty quick but that would go for just about anything.
Posted 22 December 2009 - 10:21 PM
Every other solution gives a wrong sense of security.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users