Jump to content


Photo

Encryption of saved passwords / favourites


  • Please log in to reply
3 replies to this topic

#1 Lone

Lone
  • Members
  • 4 posts

Posted 21 December 2009 - 04:11 AM

We have had an office computer of ours infected with the Gumblar virus (still to determine how it happened with it having up to date windows/av) and had the passwords stolen from the favorites folder for SmartFTP - we always use SFTP for connections so we know it was taken this way.

What we want to know is if it is possible to create some form of encryption for saved passwords / favorites similar to how Mozilla handles it with a 'Master Key/Password' that you need to know to be able to de-crypt the passwords?

#2 mb

mb

    Developer

  • Administrators
  • 11527 posts
  • Gender:
    Male
  • Location:
    Worldwide

Posted 21 December 2009 - 04:45 AM

Hello ..

SmartFTP encrypts the passwords with a symmetric key that is stored in the application. A user defined key cannot be set and would not significantly improve the security. I would also not make much sense if every application you have installed would require a master key. And even then it is technically possible to extract the password from the memory with little effort because the password must be decrypted at one point or the other.

If you really want to improve the security use public key authentication with the SSH server. You can safely store the private key in the certificate store in Windows under normal circumstances. SmartFTP is able (as the only client we know of) to authenticate a user with a private key from the Windows certificate store that is not marked as exportable. The following article will help you to set this up:
http://www.smartftp....tion-f2637.html
The article does not cover how to create a new certificate in the Windows certificate store. Please let me know if you need more information about that.

Regards,
Mat

#3 Lone

Lone
  • Members
  • 4 posts

Posted 22 December 2009 - 10:00 PM

Thanks for the suggestion for the use of public key authentication but it is something that might be a bit too intense for what we need to do - especially when needing to sometimes access a site via FTP from a connection away from the office.

That is a valid point you mention about how the master key would need to be stored in memory at some point - but still this would help reduce the impact of being infected and having everything stolen as you would need to open SmartFTP at some point of being infected for it all to be taken, rather then the instant you get infected. I know this would have saved us as it was around 4-5 hours after we suspect the machine was infected that Nod32 got an update and then removed it but by then it was too late.

We are building an internal application at the office to help with password management (as we look after many client's websites) and are using a master key setup to encrypt the passwords, however it only decrypts one at a time ie. when you want to view a password for a client then you type the master password to see that one password. This same idea could be applied to SmartFTP to reduce the impact as said above, but of course a keylogger would kill it pretty quick but that would go for just about anything.

#4 mb

mb

    Developer

  • Administrators
  • 11527 posts
  • Gender:
    Male
  • Location:
    Worldwide

Posted 22 December 2009 - 10:21 PM

I can still recommend the solution where you save the private key in the Windows Personal Certification store (or in a SmartCard attached to it). You can import the private key to multiple computers if you want to access the servers from multiple locations. The big plus is that this infrastructure already exists, is widely deployed and has proven to be reliable and effective.

Every other solution gives a wrong sense of security.

Regards,
Mat




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users