Re: Windows Explorer may expose FTP passwords in plaintext

I look at it this way... in the particular case of unencrypted FTP URLs, since the "userid:password" portion of the URL will be logged in cleartext in plenty of places besides the user's own profile, I don't see that there's much additional risk here.

--
Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"Alun Jones" <alun@xxxxxxxxxxxxx> wrote in message news:49442919-8ED4-4B33-956C-D163B9CB0A4C@xxxxxxxxxxxxxxxx
"Steve Riley [MSFT]" <steve.riley@xxxxxxxxxxxxx> wrote in message news:0308CDD5-F4A5-4D1D-BE24-FC16111208DD@xxxxxxxxxxxxxxxx
Please understand the science here. If a protocol is insecure on the wire, then there's zero benefit in trying to hide any aspects of that protocol conversation on the individual computer itself. Besides, the displayed password (retrieved from the URL history in this case) is displayed only to the particular user who's logged on. If some other user logs onto the PC, then that user can't see the first user's history (local admins excepted, of course).

Your first two sentences are a bit of a copout, Steve.

Plenty of people use FTP securely - say, for instance, over an encrypted VPN, or over IPsec.

As for the remaining sentences, it's worth noting that in most other places where you enter a password, the password is blanked out, even though it is indeed your own password.

The old "my password? yeah, it's eight stars" joke reminds us that passwords, where they can be recognised as such, should always be hidden from view. Otherwise, shoulder-surfing gets much easier.

Or are you planning on spreading this message throughout Windows, and having the logon screen echo the password back to the user as they type it?

Alun.
~~~~
--
Texas Imperial Software | Web: http://www.wftpd.com/
23921 57th Ave SE | Blog: http://msmvps.com/alunj/
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.


.

Relevant Pages

  • Re: Security Bug in IE
    ... >people print out the contents of FTP sites, ... [Please don't email posters, if a Usenet response is appropriate.] ... Texas Imperial Software | Find us at http://www.wftpd.com or email ... Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers. ...
    (microsoft.public.security)
  • Re: SSL?
    ... FTP over SSL is most definitely possible. ... Texas Imperial Software | Find us at http://www.wftpd.com or email ... Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers. ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: file size limits?
    ... I was having problem with the ftp.exe, got 426 error even ftp the file ... with other ftp client app. ... > Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers. ...
    (microsoft.public.inetserver.iis.ftp)
  • RE: ftp vs. webdav
    ... But saying that would require that you ignore the large number of FTP ... implementations that support the draft standard for FTP over SSL / TLS. ... Texas Imperial Software | Find us at http://www.wftpd.com or email ... Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Windows Explorer may expose FTP passwords in plaintext
    ... in the particular case of unencrypted FTP URLs, browsers - Internet Explorer included - have been woefully remiss in displaying and storing something that they know to be a password. ... Texas Imperial Software | Web: http://www.wftpd.com/ ... Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers. ...
    (microsoft.public.security)