Following years of criticism and user requests, the FileZilla FTP client is finally adding support for a master password that will act as a key for storing FTP login credentials in an encrypted format.

This feature is scheduled to arrive in FileZilla 3.26.0, but you can use it now if you download the 3.26.0 (unstable) release candidate from here.

FileZilla developer surprises his users

The move is extremely surprising, at least for the FileZilla userbase. Users have been requesting this feature for a decade, since 2007, and they have asked it many and many times since then. All their requests have fallen on deaf ears and met with refusal from FileZilla maintainer, Tim Kosse.

In November 2016, a user frustrated with Koose's stance forked the FileZilla FTP client and added support for a master password via a spin-off app called FileZilla Secure.

The author of FileZilla Secure took this action after his computer was infected with malware, and the malware stole the FileZilla password trove, a file named sitemanager.xml.

Because FileZilla didn't store passwords in an encrypted format, the attacker had access to all the user's FTP credentials, stored as plain text inside the sitemanager.xml file.

FileZilla will be able to encrypt FTP passwords

With FileZilla Secure, and starting with FileZilla 3.26.0, this file will store these passwords in an encrypted format, as seen in the image below.

Current sitemanager.xml file on the left, encrypted sitemanager.xml on the right

This feature is not turned on by default, and to configure a master password with FileZilla 3.26.0, users must visit the Edit > Settings > Interface section, enable the feature, and set a master password.

Once this feature is turned on, the FileZilla client will ask the user for a master password every time the user attempts to connect to an FTP account.

Koose gives a technical explanation of how FileZilla's new master password system works on the software's support forum, here.