I just realised that I got lazy while using Filezilla.
A few years ago, I got tired of looking up passwords in Keepass, and so (for some of the websites I administer), I just stored the passwords in Filezilla (an FTP client).
I justified it to myself by saying things like:
- I’m unlikely to get infected.
- If I do get infected, then Filezilla will probably not be running at the same time.
- Filezilla probably encrypts the passwords, so that nobody but me can use them.
I realised that all the above assumptions are false, once I got infected a few weeks ago.
Removing the infection was easy, but a few days later, I noticed that I couldn’t add images to my blog (as well as other strange behavior).
Thinking it was a hosting issue, I raised a ticket with hostgator, and they quickly found out that my account had been hacked (and they changed my password for me, as well as restoring altered file permissions).
I though that was the end of it, until I noticed that some of the websites that I maintained were having similar issues.
Its then that I realised what happened: all sites that I had in filezilla (with a stored password) had been logged into, and many file permissions had been changed to “777” (ie full access by anyone).
It didn’t take long before I realised that there is no easy way that Filezilla can store passwords and also hide them from malware (unless Filezilla starts working like KeePass (and even KeePass can be hacked, unless its setup to “lock workspace” every 60 seconds (and then most people will disable that option, without realising the dangers in doing so).
So, I have now removed all passwords stored in Filezilla (and I strongly urge you to do the same).
It might be inconvenient, but its worth it.
I had about 8 hacked websites.
Some did not have shell access, so I had to navigate through all folders and sub folders (using Filezilla), changing permissions along the way, as well as refreshing most files from a backup, as some had been altered.
Many hours of wasted time, which I didn’t really need at the time.
I’ve seen many people complain that filezilla “should” encrypt the passwords, but it doesn’t take long to realise that it won’t work: the passwords need to be decrypted at some point, and thats when some spyware will read it.
Its not a failing of Filezilla, its a failing within us (laziness)
So, in conclusion: don’t ever store FTP passwords in programs like Filezilla.