Password caching in NFTP and security issues

Since version 1.60, the new scheme for password caching is introduced in NFTP. Previous approaches were inconvenient (the change of a password was a hassle) and insecure (if NFTP was allowed to store passwords, everybody with access to your files was be able to steal your passwords). Version 1.60 is more versatile; you can make it behave very transparently (and insecure) or you can force it to apply cryptography to your passwords. The latter was suggested by Sebastian <scut@nb.in-berlin.de>.

Usefulness of password caching

When password caching is enabled, NFTP will automatically store host/userid/password combinations after successful login. The file which keeps them is called nftp.psw and it is automatically created in your NFTP data directory (installation directory on OS/2 and Windows, ~/.nftp on Unix and BeOS). Next time you login to the same site with the same userid, don't specify your password on the login screen: NFTP will lookup this host/userid pair in the cache file and pick the password you have used last time. This is especially convenient when using history: you can get to the point just by pressing Enter several times.

Three methods of password caching in NFTP

The behaviour of NFTP with regard to password caching is specified in nftp.ini. You should set encryption-type in the [passwords] section to one of the following methods:

Method Description
0 NFTP will not store passwords at all. This is the default under multiuser systems (Unixes).
1 NFTP will write plaintext, unencrypted passwords into the cache file. You should do this only if you are absolutely confident in people who have access to your computer. This option gives you convenience because you can examine your password cache file and see passwords in it.
2 NFTP will scramble passwords, as it did in pre-1.60 versions. Since the algorithm of scrambling is reversible and does not require any input except the encoded string itself, this method is not secure. Everybody who can steal your password cache file will be able to extract your passwords. This method could be more useful than 1 because it will protect from your not very computer-literate friends. This method is the default under single-user systems (OS/2, Windows, BeOS).
3 This is secure method. You will be asked for a separate password to encode/decode your password cache file (this separate password is called keyphrase in NFTP). Of course it is less convenient than previous methods but on multiuser machines it could be useful. You can change keyphrase by selecting Sites|Passwords|Change keyphrase... menu item.

Method	Description
0	NFTP will not store passwords at all. This is the default under multiuser systems (Unixes).
1	NFTP will write plaintext, unencrypted passwords into the cache file. You should do this only if you are absolutely confident in people who have access to your computer. This option gives you convenience because you can examine your password cache file and see passwords in it.
2	NFTP will scramble passwords, as it did in pre-1.60 versions. Since the algorithm of scrambling is reversible and does not require any input except the encoded string itself, this method is not secure. Everybody who can steal your password cache file will be able to extract your passwords. This method could be more useful than 1 because it will protect from your not very computer-literate friends. This method is the default under single-user systems (OS/2, Windows, BeOS).
3	This is secure method. You will be asked for a separate password to encode/decode your password cache file (this separate password is called keyphrase in NFTP). Of course it is less convenient than previous methods but on multiuser machines it could be useful. You can change keyphrase by selecting `Sites\|Passwords\|Change keyphrase...` menu item.

If your method is not 0, you can also review your passwords, change them, delete and add new ones from the inside of NFTP. Just open Sites|Passwords|Edit passwords... Use Insert to add new host/userid/password combination, delete to remove existing entry, and Ctrl-E to edit it. You can display/hide passwords with Ctrl-P.

The password cache file, nftp.psw, can be copied between machines to easily migrate your set of passwords. Of course, special care must be taken if you're not using method 3: don't leave copies laying around!

NFTP home page // Send comment