Results 1 to 5 of 5
  1. #1
    Join Date
    Jun 2008

    FTP in the clear passwords, are you tired of it yet?

    I don't know about you but I'm tired of these hosting companies that offer FTP accounts and don't force SSL connections.
    Meaning passwords are sent in the clear.
    Then people wonder how their account is compromised. Yes, I know there are other ways like PC viruses etc.. But with all this concern over security, why not simply make users use a secure connection?
    I think all the FTP clients out there can do it, and it's only one click to turn it on, and if more hosts did this they would make clients automatically try SSL first as a default.
    Even better, I like the FTP clients that don't have a option to force only SSL, and so you don't know if it is secure or not.
    I say make the user have to manually click something to go to "normal" mode and then warn them with another screen that their password is going to be sent in the clear.
    The original RFC for SSL in FTP was posted in 1996!!
    Then Cpanel isn't helping, it sends your password in the clear (if you are not SSL) if you simply click on "FTP Accounts", at the bottom of the page you see links that have the password in the URL. Sheesh! When are these guys ever going to learn?

  2. #2
    ....doesn't matter if the passwords and usernames are sent via email...checked via pop...most of the FTP compromises are from viruses.

  3. #3
    I guess it takes a compromised account for people to learn

  4. #4
    Join Date
    Apr 2003
    While it is a problem realistically how many people are getting exploited by that? Yes if you are surfing on free wifi without SSL you are leaving yourself up to being sniffed.

    The bigger problem is the viruses, such as the recent one that was grabbing stored passwords and uploading a trojan to a site. Or perhaps keyloggers stealing the passwords.

    So yes everybody should be using it I think that a relatively few number of people get exploited this way.

    What about many people use SSL for pop3/smtp? I bet those passwords are the same as the account password more often then not . . .
    John W, CISSP, C|EH
    MS Information Security and Assurance - Server Administration and Security - Managed VPS and Dedicated Servers with VIP Service

  5. #5
    Join Date
    Sep 2009
    POP3 passwords in the clear are the real biggie these days. Get 'em to use SSL for sure!

Similar Threads

  1. It's time to clear, clear, clear - get 50% OFF!!!
    By Servstra-Sales in forum Dedicated Hosting Offers
    Replies: 9
    Last Post: 12-18-2005, 09:33 PM
  2. Convert clear passwords
    By -Edward- in forum Programming Discussion
    Replies: 2
    Last Post: 12-13-2005, 02:53 PM
  3. whm and passwords
    By docsharp in forum Dedicated Server
    Replies: 7
    Last Post: 09-23-2005, 04:24 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts