#32 Password management / encryption system

closed
nobody
None
8
2012-04-11
2004-11-10
Anonymous
No

I think it is critical to have the option to not
locally store passwords (especially in plain text!).
This is actually keeping me from using JFtp right now.
Storing passwords for insecure protocols such as FTP
isn't that big of a deal, but I cannot use an app that
stores my SFTP password(s) on disk, especially in plain
text.

What I would suggest for this enhancement would be to
perhaps have a checkbox "Ask for password" (or "Don't
Save Password") in the "Connect to..." dialogs. The
setting could be saved with the rest of the connection
info. Then whenever the connection is attempted the
user would be prompted to enter the password (which
would not be saved anywhere).

Discussion

  • Cyberdemon
    Cyberdemon
    2004-11-12

    Logged In: YES
    user_id=164594

    Agree, I'll take a look at this soon.

     
  • Cyberdemon
    Cyberdemon
    2004-11-12

    • priority: 5 --> 8
     
  • Cyberdemon
    Cyberdemon
    2004-11-16

    • status: open --> closed
     
  • Cyberdemon
    Cyberdemon
    2004-11-16

    Logged In: YES
    user_id=164594

    There is a checkbox in options -> security now which
    prevents passwords from being stored (and deletes the old
    ones if wanted). The default is to not save passwords now,
    too...

    We should now add some kind of encryption for passwords that
    are saved, any ideas? I'd otherwise start with some easy
    encryption without the need of some kind of master password
    or something just for "security through obscurity"

    (leaving this request open for further comments)

     
  • Cyberdemon
    Cyberdemon
    2004-11-16

    • status: closed --> open
     
  • Jake Kasprzak
    Jake Kasprzak
    2004-11-19

    Logged In: YES
    user_id=691521

    Hello.

    I can definitely understand you not wanting passwords to be
    stored in plain text, and so it was good to see that this
    feature was added in the latest version. Something I did
    consider was having the application make sure that the files
    that stored passwords had their permissions set so that no
    other user had permission to read them. And there is a way
    that that could be implemented, but the only solutions I
    could find are platform-dependent, which we do not want. But
    there is a suggestion I would like to make.

    I personally like the idea of having a master password that
    a user would enter before any connection requiring a
    password is ever opened. This is similar to a feature that
    is in the Firefox web browser. I personally don't use the
    master password feature in it, but this could be quite
    useful for users who need to connect to a number of FTP or
    SFTP sites and don't want to keep having to enter their
    passwords every time they connect. The way this could be
    implemented is by having the user first enter their master
    password, and a cryptographic hash function could be used to
    store this password in encrypted form. Then whenever the
    user enters their master password, the hash is computed, and
    compared to the hash that is stored. If the hashes match,
    then the user entered the correct password, and would then
    be able to not have to enter any passwords after that. And
    then every password can then be stored in encrypted form,
    using a key that is based on what the master password is.
    This is just an idea that I have, and if any of you can see
    anything wrong with it, please tell me.

    Also, we can look into other ways of storing passwords.
    Perhaps we could borrow a few ideas from other applications?
    I'll look into this further, and any other suggestions are
    welcome. Thus far, I think we can say this application has
    been built on the assumption that it'll mostly be used by
    computers that aren't used by others, and we need to change
    that.

    Thanks,

    J.K.

     
  • Cyberdemon
    Cyberdemon
    2005-01-27

    • summary: Add Option to Not Store Passwords --> Password management / encryption system
     
  • Cyberdemon
    Cyberdemon
    2005-01-27

    Logged In: YES
    user_id=164594

    Changed topic

     
  • Cyberdemon
    Cyberdemon
    2012-04-11

    1.55 contains enryption patch submitted by Pavel, I consider this done for now.

     
  • Cyberdemon
    Cyberdemon
    2012-04-11

    • status: open --> closed