View Single Post
Old 06-24-2002, 05:33 AM  
Join Date: Feb 2002
Posts: 82
Default Application Password Protection Flaw

After using the FlashFXP Application Password Protection feature for the first time, I believe that it is ironically more insecure than secure.

I can go onto someone else's machine who does not use Application Password Protection. Type in a password. View all of their passwords. Then clear the password I set again. They would never know any different.


1. If I don't set a password, and I don't know about Application Password Protection, anyone can see my passwords by just creating a new password, them removing it without my knowledge. INSECURE PASSWORDS.

2. If I don't wish to set a password, but do know about Application Password Protection, then I am forced to use it unwillingly (because of the larger risk of 1). This then gives me the hassle of having to enter a password each time I load FlashFXP (for a feature I don't want) and I can't leave my computer alone without the hassle of minimising Flash to the tray, and locking it (for a feature I don't want). INSECURE PASSWORDS WHEN LEFT OPEN + ADDITIONAL HASSLE.

Either way, my passwords are now less secure in FlashFXP, even though I may not wish to use the new feature.

A possible alternative would be if the user was forced to set a password after they install version 2.x for the first time. They would not be prompted to enter the password on startup of FlashFXP (as this just annoys people). They would only be prompted for the password when they attempt to "reveal" the password to a site. FlashFXP would then allow viewing of passwords for the rest of that session. Alternatively, there could be an option which allows the toggling of Application Password Protection using the existing method. Both options would basically make the person who installs FlashFXP the administrator of the Site Manager, as they would have the password for the application.

Bear in mind, however, that this option still forces the user into using Application Password Protection; protecting all their sites with one password. There will still be a few users who completely do not want this feature made available and probably set different passwords for different sites intentionally.

There is no current way of disabling this feature.
Ethanol is offline