Showing passwords and company security

FREEKBOU

2005-04-20 19:27:59

Working for a reasonable sized company it has been decided to use smartftp for FTP access to customers because of it's command line interface . We do have an internal customer database that is used
to store the ip addresses, userid's and passwords of our customers. From that database we can start an ftp session by the command line:
smartftp ftp://user:password@ipaddres/directory

This database makes it easy for all employees to login without having to know the userid's and passwords.

Over the last period of years, security on IT companies becomes more strict. If an employee abuses the login data from the company in order to harm a customer, the company could be responsible.

SmartFTP has the great feature that one can start it up via the commandline, but unfortunately an option exist (in Tools, Settings, Display) called Hide Passwords. Unticking that option will
show all passwords.

Would it be possible to make the following change...

Add to the command line parameters the following options:
- NO_SAVE : This would disallow the user to save the login data in the favorites.
- DO_NOT_SHOW_PASSWORD: This would, for that FTP session make sure that the password is not showed.

This would allow companies, like ourselves, to use smartftp in a much more controlled way.

Jan Thompson

2005-04-28 17:02:36

We have similar needs within our company, working worldwide with approximately 2500 users.

Due to quality and protection procedures we are looking for a FTP program which allows us, like the mentionned 'request', for a program with parameters in the commandline.

One of our favorites is Smartftp, but we have found this problem as a possible showstopper.

Are you guys planning to add e.g. an extra registry key which prevents storing addresses in favourites and always hide the password?

Thanks

2005-04-28 19:32:44

Hello ...

Are you looking for a registry setting in the HKLM or in the HKCU registry branch? I assume this setting should also disable all "easy" ways to extract the password. e.g. Copy URL, Favorites Export to Text file, Show Password checkbox, Queue Properties, etc.

We can add a registry setting as proposed but it doesn't really increase the security.

Regards,
-Mat

FREEKBOU

2005-04-29 12:45:32

Hi Mat,

I'm looking for a command line switch that prevents the password to be shown and the url to be added to the favorites.

This way, you can use the current functionality as is. So people can view the passwords they've added themselves, but if from the application a commandline is launched, the commandline switch makes sure that they can never view the passwords, nor store them and view them later.

Hacking registry settings from our application is something we've been thinking about, but the problem is that if you add the site to the favorites, you can change the parameter afterwards and view the passwords from there.

best cheers,
Freek

Jan Thompson

2005-04-29 16:14:15

Hi Mat and Freek,

I think that Freek's proposal should do the same regarding to our needs: preventing users to see passwords direct or in a later stage.

Regards, Jan...

2005-04-30 01:50:13

What I can offer you is a registry setting in the HKLM (Local Machine) branch. This way you can set it to read only and the users are unable to change it. It would also override the user settings. I'm not a big fan of the command line parameter.
-Mat

FREEKBOU

2005-04-30 17:21:29

Mat,

That sounds fine to me as well.

Thanks,
Freek

Jan Thompson

2005-05-14 17:16:11

Mat, Freek,

I was off for a short holiday, so sorry for not replying.

Mat, your solution should do the trick isn't it?
Look forward testing it. Any idea when this might happen?

Thanks in advance, Jan...

2005-05-14 17:40:47

The proposed setting would turn on the following rules:

- URL bar always shows hidden password
- The password of favorite items is never saved. Passwords of existing favorites will be reset.
- The password of history items is never saved. Passwords of existing history items will be reset.
- Copy URL -> FTP function is disabled.

Any additions? Comments? Requests?

-Mat

Jan Thompson

2005-05-15 20:51:19

Mat,

Does this also mean that the Hide Passwords option in the display settings area is disabled (greyed out) and/or is overruled by the HKLM setting?

For me this is the solution to my problem.

Perhaps Freek has any other comments?

Thanks in advance, Jan...

FREEKBOU

2005-05-18 13:49:29

Mat,

I think that's exactly it. Be aware that this should only happen for sites that are started with an URL. So sites that are created manually should follow the old rules, even with displaying passwords if people want.

Best cheers and thanks in advance,
Freek

2005-05-18 22:52:24

The setting will be global. It means once enabled no more passwords are shown or saved.
-Mat

Jan Thompson

2005-05-19 16:11:21

Mat,

Don't know what Freek's demands are, but for my company this is exactly what we want.

Regards, Jan...

2005-06-16 21:57:19

Hello ...

The latest build of SmartFTP has the discussed feature implemented.
https://www.smartftp.com/download

- URL bar always shows the hidden password
- Remote View: Copy URL -> FTP function is disabled.
- Queue: Copy URL is disabled.
- Favorites: Export to HTML and Text is disabled.

To enable/disable it get the .reg files from the link below:
https://www.smartftp.com/Products/SmartF ... swords.zip

-Mat

FREEKBOU

2005-06-20 14:33:17

Hi Mat,

I've installed it and it works. Just one small other question. Since I've installed this update, I get every other time a message about buying a maintainance fee. Is there a way to disable this message?

Best cheers and thanks in advance,
Freek

Annihilator

2005-12-15 12:40:10

Putting the words "FTP" and "security" in the same sentence is, to put it mildly, inadequate. FTP is an inherently insecure, antique and outdated protocol which simply HAS to be replaced by SFTP in order to achieve security.

eyebex

2005-12-15 14:16:21

What's wrong with FTPS (FTP over SSL) as opposed to SFTP?