Protect Passwords with a Master Password

Protect Passwords with a Master Password

By default, FileZilla and FileZilla Pro save the passwords you enter in the Site Manager in plain text. The master password feature lets you encrypt all stored credentials with a single passphrase — so even if someone gains access to your files, your passwords remain protected.

If you prefer to watch rather than read, our FileZilla Master Password video tutorial covers the setup steps.

FileZilla Pro customers: the master password also protects your cloud storage credentials — OAuth tokens, API keys, and session tokens for Amazon S3, Google Drive, Microsoft OneDrive, Dropbox, Box, Azure Blob Storage, Google Cloud Storage, Backblaze B2, and all other supported cloud providers. Set it once and FileZilla Pro handles re-authentication transparently across sessions, without prompting you each time.

Warning: Keep your master password in a safe place. If you lose or forget it, there is no recovery path — all passwords stored under it will be permanently inaccessible.

What the Master Password Protects Against

The master password is designed to protect your stored credentials against a passive attacker who can read files on your computer — for example, someone who gains physical access to your machine, copies your disk, or reads files over a shared network drive. In this scenario, your passwords are encrypted and useless to the attacker without the master password.

The master password does not protect against:

  • Attackers who can read your active program memory
  • Attackers who can modify files on your system (active attackers)
  • Keyloggers or other input monitoring tools
  • Network eavesdropping if you use plaintext protocols (FTP without TLS)

These categories of attack require hardware-level countermeasures and are beyond the scope of any software-based password protection. If you are in an environment where such threats apply, the appropriate safeguard is to use Do not save passwords (see below) and enter credentials manually each session.

Your Three Password Storage Options

FileZilla and FileZilla Pro offer three modes, reachable via Edit > Settings… > Interface > Passwords:

  1. Save passwords protected by a master password — credentials are encrypted on disk. Recommended for most users.
  2. Save passwords (no master password) — credentials are stored using Base64 encoding, which provides no meaningful security. Anyone who can access your profile files can read your passwords.
  3. Do not save passwords — credentials are never written to disk. You will be prompted to enter them on each connection.

How to Set Up a Master Password

  1. In the main menu, click Edit > Settings…
  2. Select Interface > Passwords from the left-hand menu.
  3. Select Save passwords protected by a master password.
  4. Enter your chosen master password in both the Master password and Repeat password fields.
  5. Click OK.

All passwords currently stored in the Site Manager (and, in FileZilla Pro, all cloud storage credentials) are immediately re-encrypted under the new master password.

Disabling or Changing the Master Password

If you want to remove the master password:

  1. Go to Edit > Settings… > Interface > Passwords.
  2. Select Save passwords (without master password) or Do not save passwords.
  3. You will be prompted to enter the current master password. If you provide it, stored passwords are decrypted and retained. If you cannot provide it, all stored passwords are permanently lost.
  4. Click OK.

To change the master password, disable it as above (providing the current password so credentials are preserved), then re-enable it with the new passphrase.

If You Forget the Master Password

There is no backdoor and no recovery mechanism by design — the master password is never stored anywhere, only used to derive the encryption key at runtime. If you forget it:

  1. Go to Edit > Settings… > Interface > Passwords and switch to Save passwords or Do not save passwords.
  2. When prompted for the current master password, cancel or dismiss — FileZilla will allow you to disable it, but all encrypted passwords will be wiped.
  3. You will need to re-enter your credentials for each site. Contact the relevant server administrator or cloud provider if you no longer have access to the original passwords.

Recovering Passwords Stored Without a Master Password

If you chose to save passwords without a master password, you can retrieve them via the export function — they are stored in Base64 encoding, which is easily reversible:

  1. Choose File > Export.
  2. Select Export Site Manager entries and click OK.
  3. Save the exported file. Note: anyone with access to this file can decode all your passwords.
  4. Open the file in a text editor and locate the <Pass> entry for the site.
  5. Copy the Base64 string and decode it using any Base64 decoder tool of your choice. The decoded output is your plaintext password.

Note: This recovery method works only for passwords stored without a master password. Passwords encrypted with a master password cannot be recovered this way.

How It Works (Technical)

The master password encryption was introduced in FileZilla 3.26.0 and uses modern, well-reviewed cryptographic primitives throughout. The following is a summary of the design for technically minded users and security evaluators.

Key derivation

When you set a master password (P_master), a random 32-byte salt (S_m) is generated. Your password and the salt are passed through PBKDF2-HMAC-SHA256 with 100,000 iterations to produce a private key for the X25519 elliptic-curve Diffie–Hellman function. The corresponding public key (M_pub) and salt are saved for future use. The master password itself is never stored.

Per-password encryption

Each password (P) is encrypted independently. A fresh random 32-byte salt (S_e) and a random ephemeral X25519 keypair are generated for each one. Using Elliptic-Curve Diffie–Hellman (ECDH), a shared secret is derived from the ephemeral private key and the stored master public key. From that shared secret, an AES-256-CTR key and nonce are derived (via SHA-256), and the password is encrypted. The ciphertext, the ephemeral public key, and the per-password salt are all saved together.

Decryption

To decrypt, FileZilla asks for the master password, re-derives the private key from it and the stored salt (S_m), recovers the ECDH shared secret using the stored ephemeral public key, re-derives the AES key and nonce, and decrypts. Because the private key is re-derived on demand rather than stored, there is no file that an attacker can target to bypass the master password.

References

Video Tutorial: FileZilla Master Password Setting

Related articles:

Tags: , , , , ,