Bookmarks

[hill180]

I didn't know if anyone has this answer:

In setting up Dropbox, I can turn off "Store Passwords in Keychain" to save the password in the Bookmarks.

The documentation says the passwords will be "saved in the (Encrypted) Bookmarks themselves"

My Question:

What is the key/password used for the Encrypted Bookmarks?  If I reload my Mac, will the bookmarks still open. 

[JD]

The encryption method and key are completely proprietary and built into Yummy itself, so your Bookmarks will be safe, don't worry

[hill180]

Hello JD. 

I really like Yummy FTP for the syncing and will purchase the software, but I sent a message.  I was able to create a proof of concept and got the username and password from the encrypted password bookmarks.

Because of this I probably won't sync the bookmarks to dropbox, for security purposes.

Take care.

[JD]

I am messaging you because I wanted to ask a question outside of public, just in case this hasn't been thought of.

If the bookmark files is encrypted and the key is built into Yummy, I understand the Bookmark Files are encrypted.  But as a hypothetically, if I did the following I believe I could get the passwords:

1.  Get the Yummy Bookmark Files
2.  Install Yummy on the new computer and restore Bookmarks
2.  Change server settings of the bookmarks (but leave the server password) to a local unencrypted communication (like local ftp server)
3.  Run a packet analyzer and tell yummy to connect
4.  Get passwords.

Thank you for your time.

I replied to your message this morning… sorry, I rarely get forum messages : people usually use email

As I pointed out in my reply, if someone can get access to your Yummy FTP Bookmarks from your computer then they can get access to anything else including the Keychain file, email accounts, bank details, etc etc… they could just install Yummy on their Mac and connect : no need for the convoluted packet sniffing method.

If you're hyper sensitive about security you should be using SFTP and a keyfile access, not FTP (which sends passwords in clear text by the way) and not passwords.

For DropBox syncing purposes you can leave your passwords in the Keychain if you prefer. It just means that passwords won't be automatically synced.

[hill180]

My question was to see about the bookmarks.  Because Keychains uses the username and password as the hash, even getting the file will not allow you access to the information inside without credentials.

If the bookmark file was ever compromised, the person would have access to the server, and with the hack below, have the actual password of the server.  I understand the security of the FTP protocol (or the lack there of), that can't be avoided depending on the client, but like I said before.  This was about the bookmarks.

For my security I will leave the password in the keychain.  Thank you very much for clarifying the bookmark security.

I do appreciate your time in this matter. 

[JD]

Thank you for the clarifications to your original question and I understand where you're coming from now. Sorry I didn't get to the point more quickly this time

For what it's worth, I'm planning to make the Dropbox syncing setup more automated in a future update, so it's very valuable that I now know some people will require the option to keep the passwords in the Keychain.

Thanks!