Re: Windows Explorer may expose FTP passwords in plaintext
- From: "Shenan Stanley" <newshelper@xxxxxxxxx>
- Date: Sat, 19 Jul 2008 14:40:11 -0500
Brian Knittel wrote:
If you use Windows Explorer to open an FTP site that requires a
password, Explorer may display the password in clear text in the
future through the autocomplete feature in Explorer's Address bar.
I've tried this on one XP SP3 machine and the password DOES appear,
but on another XP SP3 machine only the username appears. Steps to
reproduce:
1. Open Windows Explorer and if necessary enable the display of the
Address bar
2. In the Address bar, enter the URI of an FTP server that does not
permit anonymous access and on which you have an account, e.g.
ftp://host.domain.com/myfolder
3. Windows Explorer will prompt you for a username and password,
and then will display the folder contents
4. Close Windows Explorer, then open Windows Explorer again.
5. In the Address bar, type ftp:
At this point autocomplete should kick in and display the URI with
at least your username and maybe the password displayed in clear
text, e.g.
ftp://username:password@xxxxxxxxxxxxxxx/somefolder
The version with the username and password don't appear in the
Address bar's MRU dropdown, but just in prompts popped up by
autocomplete. The password does not seem to appear in plaintext in
the Registry.
As I said, have one machine that reliably shows the password, and
another that doesn't.
Does anyone else find that the password is displayed?
(No need to discuss the insecurity of FTP itself--that's not the
issue here. This is about the potential for exposing previously
used passwords on the desktop)
Actually - I would say that the last paragraph/disclaimer is the issue.
FTP is a basic transfer method - old (should be obsolete in my opinion - and
is in many places) and natively insecure. If you are using ftp to transfer
anything - I would consider that an unwise decision and would not expect
anything you use to make the natively insecure protocol any better for you
and thus - the best alternative IMHO - is to just find a better method of
file transfer. (Unless you are just grabbing files you feel okay with being
transferred in such an open method.)
As for the other responder - if you are foolhardy enough to go to a public
computer and log into a private FTP site using Internet Explorer and
download something - I am without words to express ... I mean - wow. I
know - not everyone may be aware how insecure FTP is - but - those people
probably aren't using FTP anyway. (I agree with point (1) of yours, BTW -
although that is more a function of the way the information gets passed to
the site than the browser - as well as the browser cache settings, etc. In
the case of old/obsolete FTP, that way is insecure and horrible all the way
down the line.)
--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
.
- Follow-Ups:
- Re: Windows Explorer may expose FTP passwords in plaintext
- From: Stefan Kanthak
- Re: Windows Explorer may expose FTP passwords in plaintext
- References:
- Windows Explorer may expose FTP passwords in plaintext
- From: Brian Knittel
- Windows Explorer may expose FTP passwords in plaintext
- Prev by Date: Re: Windows Explorer may expose FTP passwords in plaintext
- Next by Date: Re: FIX for ZoneAlarm & KB951748 issue released
- Previous by thread: Re: Windows Explorer may expose FTP passwords in plaintext
- Next by thread: Re: Windows Explorer may expose FTP passwords in plaintext
- Index(es):
Relevant Pages
|
