Encryption strength

FinalBuilder Discussion
1

How strong is the encryption of passwords for things like FTP logins?

My suspicion is that it is weak. How easy would it be to reverse it? (I presume it is the "cookie" value in the action data).

Matthew

2

Hi Matthew,

I don't want to answer your question directly, so I'll answer it indirectly.

If any program needs to read a password back in plaintext form (ie to pass it to an FTP Server), then it can't be stored in a properly secure way. Even if you use strong encryption (and we do), the program still needs a way to read the value back.

The goes for any software which saves passwords that have to be passed to other utilities or sites (this includes IE, any FTP or Email client, Firefox if you don't set a master password, etc, etc.)

The difference is if you're only using the password internally for your own application, in which case you can store it as a salted hash (preferably using a hashing algorithm suitable for storing passwords.)

If you're concerned about the password being stolen then I suggest you create a specific FTP account for FinalBuilder to use, give it only the permissions it needs (ie write-only to the uploads folder), and use a unique password for that account.

Alternatively, make sure your project files remain secure.

Regards,

Angus


PS It's probably worth mentioning that the FTP protocol will happily broadcast your password in plaintext in a TCP packet, so it's worth making sure your network is secure as well.

PPS Disclaimer: I'm not a security expert, and I'm definitely not a cryptographer.

PPPS Are you asking because you forgot your password?

3

Thanks Angus. It sounds like you are using a security that is as strong as it can sensibly be. In the past I’ve done things like storing the key in a file as well as the passwords encrypted. The key is generated for each new file, and obviously taking the two makes it possible to decrypt, but it stops someone copying and pasting the password part into another script and using it. (They could take both parts but the casual user won’t).

I’ve not lost my password, this is just because I’m making a build system that others will use, and yes I’d like to keep my account secure. I’ll create a new account I think, or something.

Many thanks, Matthew