Why SFTP password is base64 encrypted ?

Discuss new features and functions
Posts: 4
Joined: 9 Sep 2023

Plug-fr

Hi,

As I use remote NAS with SFTP server to bachup my datas, I note the password is base64 encoded in the FFS cloud command :
lien.png
lien.png (9.06 KiB) Viewed 16430 times
I’m worried about this behavior.

Aren’t the SFTP commands not already encrypted by FreeFileSync before before being sent through the internet ?

I guess only an FFS developer can answer this question. I'm new on this forum and I don't know if FFS developpers are on this forum...

Thank's

LeoW

They are. Not one of them.
Posts: 1037
Joined: 8 May 2006

therube

"Fake pwd for forum" ;-).
(Before I looked, I was going to say you should remove from here, & change... heh.)

So locally if someone had access (or remotely if you've been hacked), someone could view (& easily) "decrypt" your (obscured) password. I while (basically) stored as "plain text" locally, what would be sent via SFTP would be encrypted - you'd better hope :-).


(This would not be the case with FTP [non-SFTP].)
Posts: 4
Joined: 9 Sep 2023

Plug-fr

As you proved, it is easy to decipher base64. So what's the interest to use it ?

From my point of view I DO NOT see why. And this is the reason why I ask a developper.
I hope the developper who write this code knows why... and agrees to tell me :)
User avatar
Site Admin
Posts: 7210
Joined: 9 Dec 2007

Zenju

Aren’t the SFTP commands not already encrypted by FreeFileSync before before being sent through the internet ? Plug-fr, 10 Sep 2023, 15:26
Yes, SFTP is TLS-encrypted, and so is everything that is sent over the SSH connection.

As I use remote NAS with SFTP server to bachup my datas, I note the password is base64 encoded in the FFS cloud command :
lien.png
I’m worried about this behavior. Plug-fr, 10 Sep 2023, 15:26
This is so that your coworker doesn't see your password when looking over your shoulder.
Posts: 4
Joined: 9 Sep 2023

Plug-fr

Hi Zenju and thank for your answer

Ok for
the man looking over my shoulder
But what about the man accessing my computer ?
As said "Therube", this password is stored in base64 locally (in the ffs_gui file).

It's a security hole.

Can you think about a solution protecting acces to the ffs_gui file ?

Thank's for develop this very good tool
User avatar
Posts: 4056
Joined: 11 Jun 2019

xCSxXenon

You should be protecting your computer so they can't access your computer.
User avatar
Site Admin
Posts: 7210
Joined: 9 Dec 2007

Zenju

There is the "prompt during login" password option.
Posts: 4
Joined: 9 Sep 2023

Plug-fr

thank you again.

I discover this option recently and it seems good.

However I had to delete few passwords in the GlobalSettings.xml file, recorded I suppose before I use the option.