Please obfuscate passwords in %APPDATA%\utorrent\settings.dat

[funchords]

I noticed that my WebUI password was stored in plain text in %APPDATA%\utorrent\settings.dat ... I did not test it, but I suppose if I used a work proxy with authentication, my password there would be stored in plain text, too.

Both cases, the 2nd case especially, is a concern. In my former company, it would result in a security ban of the uTorrent client on any machine controlled by the company IT (even if the application was only used at home).

Suggestion: The WebUI case could be resolved with a warning message that the password is not going to be stored in a secure manner, and that they should not use the same username/password that is used on any other sensitive accounts. However, the better solution is to encrypt or obfuscate that password. The proxy username/password is less flexible. Some level of encryption or obfuscation is needed for the password part of proxy account credentials.

This would be a new feature, and not a fix. I would rate this as important for version 1.8, but I wouldn't spin a 1.7.2 for it.

[Firon]

Whatever obfuscation it uses would be weak, as it still needs to be able to work properly with basic HTTP auth.

[funchords]

Understood.