|
Posted by Steve Riley [MSFT] on July 21, 2008, 1:46 am
If you were Registered and logged in, you could reply and use other advanced thread options
I look at it this way... in the particular case of unencrypted FTP URLs,
since the "userid:password" portion of the URL will be logged in cleartext
in plenty of places besides the user's own profile, I don't see that there's
much additional risk here.
--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com
>> Please understand the science here. If a protocol is insecure on the
>> wire, then there's zero benefit in trying to hide any aspects of that
>> protocol conversation on the individual computer itself. Besides, the
>> displayed password (retrieved from the URL history in this case) is
>> displayed only to the particular user who's logged on. If some other user
>> logs onto the PC, then that user can't see the first user's history
>> (local admins excepted, of course).
>
> Your first two sentences are a bit of a copout, Steve.
>
> Plenty of people use FTP securely - say, for instance, over an encrypted
> VPN, or over IPsec.
>
> As for the remaining sentences, it's worth noting that in most other
> places where you enter a password, the password is blanked out, even
> though it is indeed your own password.
>
> The old "my password? yeah, it's eight stars" joke reminds us that
> passwords, where they can be recognised as such, should always be hidden
> from view. Otherwise, shoulder-surfing gets much easier.
>
> Or are you planning on spreading this message throughout Windows, and
> having the logon screen echo the password back to the user as they type
> it?
>
> Alun.
> ~~~~
> --
> Texas Imperial Software | Web: http://www.wftpd.com/
> 23921 57th Ave SE | Blog: http://msmvps.com/alunj/
> Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
> Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
>
>
| 
XML site map