Old 06-24-2002, 05:33 AM   #1
Ethanol
Member
FlashFXP Registered User
 
Join Date: Feb 2002
Posts: 82
Default Application Password Protection Flaw

After using the FlashFXP Application Password Protection feature for the first time, I believe that it is ironically more insecure than secure.

I can go onto someone else's machine who does not use Application Password Protection. Type in a password. View all of their passwords. Then clear the password I set again. They would never know any different.

Scenarios:

1. If I don't set a password, and I don't know about Application Password Protection, anyone can see my passwords by just creating a new password, them removing it without my knowledge. INSECURE PASSWORDS.

2. If I don't wish to set a password, but do know about Application Password Protection, then I am forced to use it unwillingly (because of the larger risk of 1). This then gives me the hassle of having to enter a password each time I load FlashFXP (for a feature I don't want) and I can't leave my computer alone without the hassle of minimising Flash to the tray, and locking it (for a feature I don't want). INSECURE PASSWORDS WHEN LEFT OPEN + ADDITIONAL HASSLE.

Either way, my passwords are now less secure in FlashFXP, even though I may not wish to use the new feature.

A possible alternative would be if the user was forced to set a password after they install version 2.x for the first time. They would not be prompted to enter the password on startup of FlashFXP (as this just annoys people). They would only be prompted for the password when they attempt to "reveal" the password to a site. FlashFXP would then allow viewing of passwords for the rest of that session. Alternatively, there could be an option which allows the toggling of Application Password Protection using the existing method. Both options would basically make the person who installs FlashFXP the administrator of the Site Manager, as they would have the password for the application.

Bear in mind, however, that this option still forces the user into using Application Password Protection; protecting all their sites with one password. There will still be a few users who completely do not want this feature made available and probably set different passwords for different sites intentionally.

There is no current way of disabling this feature.
Ethanol is offline  
Old 06-24-2002, 06:19 AM   #2
bigstar
FlashFXP Developer
FlashFXP Administrator
ioFTPD Beta Tester
 
bigstar's Avatar
 
Join Date: Oct 2001
Posts: 8,012
Default

I was very skeptical about adding the Reveal option, however many users requested it. If you can show me otherwise I will remove it. Other suggestion was to export the site list to a clear text which included passwords, However I haven't gotten to that yet.

If the password is remembered then there's virtually no security and Application Password Protection is pointless.

Forcing the user to set a password is a bad idea, More than likely they're going to forget it or loose it.

Application Password Protection can be removed from the GUI by adding a value to the FlashFXP, under [main] security=0
bigstar is offline  
Old 07-03-2002, 01:19 PM   #3
floris
Member
FlashFXP Registered User
 
Join Date: Jul 2002
Posts: 65
Default my thought

In your scenario, if you are on a friends system (your a bad friend then hehe) and you want their pass, just put Revelation on a disk and pop it in. Quickly slide the curcor over the input field with the *** and it will reveal the pass. (see screenshot)

I think Ethanol has a good point here, if no pass is set, anyone behind the system can set one, and reveal the passes. On the other hand, the end user is kind of responsible for who he is letting on his system. But a worm/trojan installed on a system that scans for secured, tries to set a pass, reads out the insecure passes and removes the pass again, emails it to a given addy.. is harder to stop. This is why I think it is currently more secure to not secure it.
Attached Thumbnails
Application Password Protection Flaw-security-jpg  
floris is offline  
Old 07-03-2002, 01:42 PM   #4
bigstar
FlashFXP Developer
FlashFXP Administrator
ioFTPD Beta Tester
 
bigstar's Avatar
 
Join Date: Oct 2001
Posts: 8,012
Default

A worm/trojan wouldn't even have to do that, but I doubt one would be able to do that via automation. When not using the Application Password Protection passwords are stored in the flashfxp.ini using a generic encryption and all you need to do is figure out the algorithm.

Using Application Password Protection is a 100% solution, not using it you are at risk no matter how you look at it.

You would not believe how many people have contacted me asking for the reveal password feature to be available even when the Application Password is not set.
bigstar is offline  
Old 07-03-2002, 10:27 PM   #5
MidKnight
Senior Member
FlashFXP Beta Tester
ioFTPD Registered User
 
Join Date: Oct 2001
Posts: 857
Default

and i hope it doesn't get srapped either. my main purpose i use it for, is that often change the password on a site, so i can take a look at it to remember what it was, then i can change it to something else
MidKnight is offline  
Old 07-13-2002, 06:02 AM   #6
Ethanol
Member
FlashFXP Registered User
 
Join Date: Feb 2002
Posts: 82
Default

I still believe it should be an option on install. Passwords are highly sensitive, and being as freely available as they now are is a high security risk. I don't see many corporate users wishing to invest in a product which forces you to use one password for all of your sites (which is essentially what it is doing).

I suggest a better implementation (although it would require further coding), would be to ask the user on install whether they would like to install the Application Password Protection feature or not, and give them a warning explaining how it works. For those who do the sites may as well be written in plain text (from what I've read from above). For those who do not (e.g. corporations who actually want secure passwords), each password should generate a unique hash, breakable only by brute-force attempts.

By adding this feature, you are admitting that there is a security risk, and pretty much stating that because there is a risk, you might as well integrate that risk into FlashFXP. I mean, it's a bit like MS abandoning their 25-figure product keys, because they're easy enough to find on the web anyway.

It's all very well removing APP from the GUI, but it is just as easy to re-add it by reversing what you have just said.
Ethanol is offline  
Old 07-13-2002, 07:07 AM   #7
bigstar
FlashFXP Developer
FlashFXP Administrator
ioFTPD Beta Tester
 
bigstar's Avatar
 
Join Date: Oct 2001
Posts: 8,012
Default

Quote:
each password should generate a unique hash, breakable only by brute-force attempts
Logically I don't see how this is possible, a password that is encrypted must be eventually decrypted to log into the site. If this magic key isn't requested from the user then it must be stored somewhere, which from your point of view makes it insecure.

Quote:
By adding this feature, you are admitting that there is a security risk
The encryption used to protect the passwords was good enough for most people. This feature was added by popular demand. Nothing more, nothing less.

Most programs that contain passwords/private information encrypt it using weak methods or methods that can be reverse engineered. That's just the way it is.

Application Password Protection was designed to take it a step further. The majority of the users who use this feature have no complaints. From a marketing stand point majority rules..
bigstar is offline  
Old 09-02-2002, 07:21 AM   #8
Tribble
Junior Member
FlashFXP Registered User
 
Join Date: Dec 2001
Posts: 23
Default

FlashFXP.exe -pass=password

A nice feature to disable password question, if security is enabled. But this feature doesn't work anymore in the new FlashFXP Build 869. On every FlashFXP Start I have to enter the password, its relly annoying.

Please tell me the new command line to skip the password question!


Thanks,

Tribble
Tribble is offline  
Old 09-02-2002, 02:50 PM   #9
bigstar
FlashFXP Developer
FlashFXP Administrator
ioFTPD Beta Tester
 
bigstar's Avatar
 
Join Date: Oct 2001
Posts: 8,012
Default

it sounds like you missed out on the changes, we had to change -pass=<pass> to allow for passwords with spaces the new format is -pass="<pass>"
bigstar is offline  
Old 09-02-2002, 03:51 PM   #10
Tribble
Junior Member
FlashFXP Registered User
 
Join Date: Dec 2001
Posts: 23
Default

Thanks You BigStar, works fine for me
Tribble is offline  
Old 10-08-2002, 06:46 AM   #11
SubZero
Junior Member
 
Join Date: Nov 2001
Posts: 21
Default

thanks puby
SubZero is offline  
Old 10-08-2002, 11:46 AM   #12
Abyzmic
Junior Member
FlashFXP Registered User
 
Join Date: Aug 2002
Posts: 9
Default

I'm happy with it... All I have to say is, if a human made it, another can break it when it comes to the password issue. Nothing is 100% secure.
Abyzmic is offline  
 

Tags
application, flashfxp, password, passwords, protection

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 10:07 AM.

Parts of this site powered by vBulletin Mods & Addons from DragonByte Technologies Ltd. (Details)