Re: [Full-disclosure] Filezilla's silent caching of user's credentials

[silky <michaelslists@xxxxxxxxx>]

On Wed, Oct 13, 2010 at 2:33 PM, Mutiny <mutiny@xxxxxxxxxxxxxxxxxxx> wrote:
> The issue is that someone gained access to that file.  You sharing your
> drives over the internet with read privileges?  You have other
> vulnerable software being leveraged to read that file?  Would you prefer
> they MD5'd it?  It sounds like your issue is that your password is
> stored.  I mean, they moved your encrypted password from passwd to
> shadow for a reason, but that doesn't change the fact that it's stored
> and if someone doesn't need access to shadow or passwd, they shouldn't
> have it.
>
> Stop logging into your FTP server from a public terminal with Filezilla.

Rubbish.

The passwords should be encoded so-as to avoid trivial searching. End
of story. It takes 10 minutes to do from a development point of view,
and there is no excuse.

-- 
silky

http://dnoondt.wordpress.com/

"Every morning when I wake up, I experience an exquisite joy — the joy
of being this signature."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/