FTP client software are used to connect to FTP server and to upload files or folders to the server. When you sign up for a webhosting package, normally they would provide you with a FTP login information for you to upload your website to their server. It is very important to keep your FTP username and password safe because if it falls into the wrong hands, they can embed malicious scripts to your website infecting your visitors. Other than that, they can also delete your website and upload a single index HTML file to show that the site has been defaced or hacked. Unfortunately FTP is not safe at all. First of all, FTP credentials are transferred in clear text and you can see the username and password by using a packet sniffer. SFTP solves this problem but it is not very commonly installed on webservers. If your webserver has SFTP, I suggest you to use it. The next thing to worry is how securely FTP client software store your FTP password? If you didn’t know, FileZilla, one of the most popular free FTP client software saves your FTP login information to sitemanager.xml and recentservers.xml in clear text. Even if you use commercial paid FTP client software such as SmartFTP which encrypts your FTP password, it is still not very safe because there are recovery software that can decrypt the encrypted password. Most of the time a FTP password recovery software or a trojan is programmed to instantly recover passwords. This is done by looking in the registry to find if a FTP software is installed, then decrypt and reveal the FTP login information. Here is one example on FileZilla to help you understand better. I downloaded the installer and ran the setup. During installation I am prompted to choose the install location. Even if I changed the default install location, password recovery software can still find it because the registry reveals where FileZilla is installed! One way to ensure that you are safe from such password recovery software is to use a “portable” version of FTP client software. There is a FileZilla Portable that can be downloaded from PortableApps. A portable version of FileZilla does not write any information to the Windows registry, hence password recovery software won’t know that FileZilla is installed.