Managing FTP credentials securely: why you need a password manager

The credentials for your FTP servers are the keys to your website: whoever holds them can read, modify and delete files. Storing these passwords directly in the FTP client is convenient – but it is also the worst place to keep them. This article explains the risks involved and shows how to protect your credentials properly with a password manager.

What happens when FTP credentials fall into the wrong hands

A compromised FTP account rarely affects just one file – it affects your entire web presence:

• Website manipulation: Attackers alter content or replace your home page (defacement).
• Malware distribution: Your web space is used to serve malware or phishing pages – in your name and under your domain.
• SEO spam and blacklisting: Hidden spam links damage your rankings; Google warns visitors about your site or removes it from the index.
• Data leakage: Configuration files on the server often contain further credentials, for example for databases.
• Liability and reputation damage: Cleaning up costs time and money – the lost trust often costs more.

Regardless of how you store passwords: never transmit credentials unencrypted. Use the SFTP or FTPS protocols in WISE-FTP – our article FTP and SFTP explains the differences.

Why storing passwords in the FTP client is not enough

Passwords saved in an FTP client can be used by anyone with access to your computer – a colleague at an unattended desk, a stolen laptop, or malware that reads local application data. Such stored credentials are typically not protected by a separate master password, and in a team there is no central control over who knows which logins.

Our recommendation is therefore simple: do not store FTP credentials in the FTP client, but in a tool specialized for the job – a password manager.

How to recognize a good password manager

Not every tool that stores passwords actually protects them. Look for these properties:

• Strong encryption: The password database is encrypted with a recognized algorithm such as AES-256.
• Protection in memory: Passwords are not kept in plain text in RAM, where malware could harvest them.
• Master password: One strong password protects all others – it is the only one you still need to remember.
• Password generator: Creates a long, unique password for every server, so you never have to memorize them.
• Auto-fill: Enters credentials directly into login forms – which also protects against typos and onlookers.
• Team features: If several people maintain your servers, you need shared databases with access control instead of passwords sent around by e-mail.
• Control over the storage location: You decide whether your data is stored locally, on your own server or in a cloud of your choice.

Several programs on the market meet these requirements. We ourselves develop and use the password manager Password Depot – it comes from the same company as WISE-FTP, encrypts databases and entries with AES-256, runs on Windows, macOS, Linux, iOS and Android, and can be tried free of charge. Which tool you choose is up to you – what matters is using a password manager at all.

If several people work with the same servers, it is worth looking at team solutions such as the Password Depot Enterprise Server: shared password databases with central access control – when one member changes a server password, the change is immediately available to everyone, without password lists sent by e-mail.

How to combine WISE-FTP with a password manager

1. Use the password generator to create a separate, long password for every FTP server.
2. Set the new passwords with your hosting provider or on the server.
3. Store the credentials in the password manager – not in the FTP client's site manager.
4. Remove any passwords already saved in the FTP client.
5. Use the password manager's auto-fill feature when connecting.
6. Enable SFTP or FTPS for your connections.

Ground rules for secure passwords

A password manager makes it easy to follow the most important rules: a separate password for every service, length over complexity, never reuse a password – and enable two-factor authentication wherever possible. Detailed guidance is published by NIST in its Digital Identity Guidelines (SP 800-63B).

Frequently asked questions

Is it safe to store passwords in an FTP program?

It is convenient, but risky: anyone with access to your computer can use the saved logins, and locally stored credentials can be read by malware. A password manager with a master password and strong encryption is the safer choice.

Is a password manager worth it for a single website?

Yes. A single compromised FTP account can lead to defacement, malware distribution and blacklisting – compared to that, the effort of using a password manager is minimal.

What is different in a team?

In a team, the uncontrolled sharing of passwords is the biggest risk. A shared, centrally managed password database – for example with the Password Depot Enterprise Server – ensures that everyone sees exactly the logins they need and that changes reach everyone immediately.