Application Password Protection Flaw

[Ethanol]

After using the FlashFXP Application Password Protection feature for the first time, I believe that it is ironically more insecure than secure.

I can go onto someone else's machine who does not use Application Password Protection. Type in a password. View all of their passwords. Then clear the password I set again. They would never know any different.

Scenarios:

1. If I don't set a password, and I don't know about Application Password Protection, anyone can see my passwords by just creating a new password, them removing it without my knowledge. INSECURE PASSWORDS.

2. If I don't wish to set a password, but do know about Application Password Protection, then I am forced to use it unwillingly (because of the larger risk of 1). This then gives me the hassle of having to enter a password each time I load FlashFXP (for a feature I don't want) and I can't leave my computer alone without the hassle of minimising Flash to the tray, and locking it (for a feature I don't want). INSECURE PASSWORDS WHEN LEFT OPEN + ADDITIONAL HASSLE.

Either way, my passwords are now less secure in FlashFXP, even though I may not wish to use the new feature.

A possible alternative would be if the user was forced to set a password after they install version 2.x for the first time. They would not be prompted to enter the password on startup of FlashFXP (as this just annoys people). They would only be prompted for the password when they attempt to "reveal" the password to a site. FlashFXP would then allow viewing of passwords for the rest of that session. Alternatively, there could be an option which allows the toggling of Application Password Protection using the existing method. Both options would basically make the person who installs FlashFXP the administrator of the Site Manager, as they would have the password for the application.

Bear in mind, however, that this option still forces the user into using Application Password Protection; protecting all their sites with one password. There will still be a few users who completely do not want this feature made available and probably set different passwords for different sites intentionally.

There is no current way of disabling this feature.

[bigstar]

I was very skeptical about adding the Reveal option, however many users requested it. If you can show me otherwise I will remove it. Other suggestion was to export the site list to a clear text which included passwords, However I haven't gotten to that yet.

If the password is remembered then there's virtually no security and Application Password Protection is pointless.

Forcing the user to set a password is a bad idea, More than likely they're going to forget it or loose it.

Application Password Protection can be removed from the GUI by adding a value to the FlashFXP, under [main] security=0

[floris]

In your scenario, if you are on a friends system (your a bad friend then hehe) and you want their pass, just put Revelation on a disk and pop it in. Quickly slide the curcor over the input field with the *** and it will reveal the pass. (see screenshot)

I think Ethanol has a good point here, if no pass is set, anyone behind the system can set one, and reveal the passes. On the other hand, the end user is kind of responsible for who he is letting on his system. But a worm/trojan installed on a system that scans for secured, tries to set a pass, reads out the insecure passes and removes the pass again, emails it to a given addy.. is harder to stop. This is why I think it is currently more secure to not secure it.

[bigstar]

A worm/trojan wouldn't even have to do that, but I doubt one would be able to do that via automation. When not using the Application Password Protection passwords are stored in the flashfxp.ini using a generic encryption and all you need to do is figure out the algorithm.

Using Application Password Protection is a 100% solution, not using it you are at risk no matter how you look at it.

You would not believe how many people have contacted me asking for the reveal password feature to be available even when the Application Password is not set.

[MidKnight]

and i hope it doesn't get srapped either. my main purpose i use it for, is that often change the password on a site, so i can take a look at it to remember what it was, then i can change it to something else

[Ethanol]

I still believe it should be an option on install. Passwords are highly sensitive, and being as freely available as they now are is a high security risk. I don't see many corporate users wishing to invest in a product which forces you to use one password for all of your sites (which is essentially what it is doing).

I suggest a better implementation (although it would require further coding), would be to ask the user on install whether they would like to install the Application Password Protection feature or not, and give them a warning explaining how it works. For those who do the sites may as well be written in plain text (from what I've read from above). For those who do not (e.g. corporations who actually want secure passwords), each password should generate a unique hash, breakable only by brute-force attempts.

By adding this feature, you are admitting that there is a security risk, and pretty much stating that because there is a risk, you might as well integrate that risk into FlashFXP. I mean, it's a bit like MS abandoning their 25-figure product keys, because they're easy enough to find on the web anyway.

It's all very well removing APP from the GUI, but it is just as easy to re-add it by reversing what you have just said.

[bigstar]

Quote:

each password should generate a unique hash, breakable only by brute-force attempts

Logically I don't see how this is possible, a password that is encrypted must be eventually decrypted to log into the site. If this magic key isn't requested from the user then it must be stored somewhere, which from your point of view makes it insecure.

Quote:

By adding this feature, you are admitting that there is a security risk

The encryption used to protect the passwords was good enough for most people. This feature was added by popular demand. Nothing more, nothing less.

Most programs that contain passwords/private information encrypt it using weak methods or methods that can be reverse engineered. That's just the way it is.

Application Password Protection was designed to take it a step further. The majority of the users who use this feature have no complaints. From a marketing stand point majority rules..

[Tribble]

FlashFXP.exe -pass=password

A nice feature to disable password question, if security is enabled. But this feature doesn't work anymore in the new FlashFXP Build 869. On every FlashFXP Start I have to enter the password, its relly annoying.

Please tell me the new command line to skip the password question!


Thanks,

Tribble

[bigstar]

it sounds like you missed out on the changes, we had to change -pass=<pass> to allow for passwords with spaces the new format is -pass="<pass>"

[Tribble]

Thanks You BigStar, works fine for me

[SubZero]

thanks puby

[Abyzmic]

I'm happy with it... All I have to say is, if a human made it, another can break it when it comes to the password issue. Nothing is 100% secure.