FTP client software are used to connect to FTP server and to upload files or folders to the server. When you sign up for a webhosting package, normally they would provide you with a FTP login information for you to upload your website to their server. It is very important to keep your FTP username and password safe because if it falls into the wrong hands, they can embed malicious scripts to your website infecting your visitors. Other than that, they can also delete your website and upload a single index HTML file to show that the site has been defaced or hacked.
Unfortunately FTP is not safe at all. First of all, FTP credentials are transferred in clear text and you can see the username and password by using a packet sniffer. SFTP solves this problem but it is not very commonly installed on webservers. If your webserver has SFTP, I suggest you to use it. The next thing to worry is how securely FTP client software store your FTP password? If you didn’t know, FileZilla, one of the most popular free FTP client software saves your FTP login information to sitemanager.xml and recentservers.xml in clear text. Even if you use commercial paid FTP client software such as SmartFTP which encrypts your FTP password, it is still not very safe because there are recovery software that can decrypt the encrypted password.
Most of the time a FTP password recovery software or a trojan is programmed to instantly recover passwords. This is done by looking in the registry to find if a FTP software is installed, then decrypt and reveal the FTP login information. Here is one example on FileZilla to help you understand better. I downloaded the installer and ran the setup. During installation I am prompted to choose the install location. Even if I changed the default install location, password recovery software can still find it because the registry reveals where FileZilla is installed!
The Windows registry reveals the location of where FileZilla is installed.
A FTP password recovery software managed to locate FileZilla even if it is installed in a non-default location, and reveals the password.
One way to ensure that you are safe from such password recovery software is to use a “portable” version of FTP client software. There is a FileZilla Portable that can be downloaded from PortableApps. A portable version of FileZilla does not write any information to the Windows registry, hence password recovery software won’t know that FileZilla is installed.
The FTP password recovery software did not find any FTP password on my computer when I am using a portable version of FileZilla.
This is still not really safe yet because it is possible that a password recovery software has a file searching feature which scans the whole hard drive for possible files containing FTP passwords. A good way to protect your FTP password further is to save the portable FTP client software in TrueCrypt encrypted container. You can refer to my previous article on how to create a TrueCrypt container and stop at step 12.
So sum it up:
1. Use SFTP if possible
2. Use portable FTP clients
3. Save the portable FTP client in TrueCrypt encrypted container