Don't put password into directory spec

[NoeNie]

Hi,

I discovered FreeFileSync for the use case of uploading files to an FTP server quickly and easily. It does better than domain-specific (FileZilla) or commercial products (PhpStorm). Kudos!

What prevents me from using it in practice is that it stores my sensitive password unencrypted in the ffs_sync config file (and, less importantly, displays it in base64 encoding on the UI). For instance, suppose my password is "sdf", then the UI will display the path as

ftp://username@server.com/some/path|ssl|pass64=c2Rm


where c2Rm can be decoded to "sdf".

The other above-mentioned applications provide a feature where you don't provide the password (but still indicate that one is required, i.e. sth like "pass64=<ASK>" or just "pass64" without the "="). Upon first usage (per server+username) the application will ask for the password and, if the connection was successful, will store it in (encrypted?) memory until the application is closed. Would it be possible to add a feature like this to FreeFileSync too?

Thanks

[NoeNie]

I'd offer my help with implementing this if I had access to the code. Either way, I'd appreciate a response (even if it's just "no" or "working on it with low priority").

[Plerry]

You can download the FFS source code in the FFS download page.

[bgstack15]

The source code is released in its entirety of the GPL release of the software in the complete tarball. A small group of us have been tracking the history of these releases, and possibly could provide the environment for you to write any patches: https://gitlab.com/opensource-tracking/FreeFileSync

[NoeNie]

Cool! I'll write a patch when I get time. For now I tried building the existing code on Windows (with WSL if needed) for execution on Windows. I found this https://github.com/jeffli678/build-FreeFileSync so far. Let me know if you have more tips.

[bgstack15]

I know nothing about compiling FreeFileSync on Windows, but I build dpkg and rpm packages for myself.

[NoeNie]

I had a look at how this could be implemented. Unfortunately, the FTP code is quite deeply integrated with AbstractPath and such, which was designed without user interaction in mind. So the dialog that asks the user for the password would probably have to be shown at an earlier point.
Anyway, more importantly, constructing that dialog should probably be done with the wxFormBuilder (to update the gui_generated.cpp file), but the wxFormBuilder project file (.fbp file) doesn't appear to be bundled with the source. Is it available somewhere else?

[dpgoldenberg]

Hi,
This topic seems to have been dropped some time ago, but I would like bring it up again. Like NoeNie, I would like to have the option of not storing the password to my server in the server settings. In my case, I am using an institutional server, and the password for it is the same as for just about everything else that I do at the institution. I know that I can delete the password after each use, but that is pretty awkward and I'm likely to forget to do it.
Thanks,
David

[tft]

Hi, I recently came across this wonderful application and find it very useful - thanks !!

I too, though, am paranoid about storing my passwords (in plain text no less) and believe an option not to do so should urgently be added. FFS can function like PuTTY does when you don't enter a user/password - it simply prompts for them and never stores them unless the user _explicitly_ asks for them to be stored.

I hope this important topic gets seriously looked into again given the fact that we now live in a more breach-prone world.

Regards.

[Zenju]

Implemented for the next release!

FreeFileSync 12.0
-----------------
Don't save password and show prompt instead for (S)FTP

[dpgoldenberg]

That will be great! Thanks very much.

David