October 30, 2013

DOT NOT use Filezilla anymore. Use winSCP.

I have been using Filezilla for a while now, and just discovered the following things that made me removed Filezilla from my computer immediately:

  1. Filezilla stores all sites username and passwords in clear text in a fixed location: %APPDATA%\fielzilla\sitemanager.xml
  2. Even if you do not use site manager to save your passwords, Filezilla saves all "quick connections" to a file "recentservers.xml", again with all username and passwords in clear text.
  3. A bug has been filed for Filezilla to encrypt the passwords with a master password over 3 years ago, yet no action has been taken.
This is more than bad practice. This is almost deliberately to help hackers/worms steal passwords.

Switch to "WinSCP", which is also open source, and allow you to encrypt all stored passwords with a master password.


  1. Thanks.................dude

  2. WOW! This is so true, I can't believe my eyes!!
    Just checked this location and found all my passwords clean and open to any sniffer I might possibly have.

    Thank you man!!!

  3. Just make sitemanager.xml recentservers.xml files "read-only" problem solved doh.