<< Back to tutorials

FTP 101 – Part 3: Authentication, is plain FTP secure?

Published {$created} by Carsten Blum


I'm just going to going to spoil the suspense in the first sentence - no, FTP is really not secure with basic username and password authentication. :-)

Let me explain.


How FTP handles login (USER + PASS commands)

When you connect to an FTP server, the login typically looks like this:


USER myusername
PASS mypassword


And that’s exactly what gets sent over the network – in plain text. There’s no encryption, no scrambling, no TLS. Anyone with access to the network – a rogue WiFi hotspot, a compromised router, or a bored sysadmin with Wireshark – can easily read your credentials.


To help reduce this risk slightly, ftpGrid enforces strict password policies:

  • Strong username and password requirements

  • Minimum length rules

  • Character variety enforcement


It’s not a replacement for encryption, but it’s a small step toward more responsible FTP usage.


What’s the risk?

Let’s say you upload a file via FTP from a café WiFi. If someone is sniffing network traffic, they could:


  • See your username and password

  • Access your files on the server

  • Modify or replace files without your knowledge

  • Reuse your credentials on other systems


Plain FTP is fundamentally insecure on untrusted networks. And yes, that includes public WiFi, office LANs you don’t control, and even corporate VPNs if misconfigured.


Alternatives: FTPS and SFTP

So what should you use instead?


  • FTPS is FTP over TLS – like HTTPS is to HTTP. It adds encryption but can be tricky with firewalls.

  • SFTP is a completely different protocol, built on SSH. It encrypts everything, not just the credentials.


At ftpGrid, we highly recommend SFTP for all file transfers. It’s secure by design and works well even in complex network environments. We support multiple SSH key formats for authentication, so you can skip passwords entirely if you prefer.


Should you ever use plain FTP today?

If you’re working inside a tightly controlled, internal network with no internet exposure – maybe. But even then, using a secure protocol is better.

In 2025, there’s no good reason to send your credentials unencrypted.


Check out our other features and recommendations, or sign up now and get started.


Signup now
© 2025 ftpGrid

ftpGrid ApS
Branebjerg 24
DK-5471
Gamby
Denmark

Policy pages

Privacy policy | GDPR | Cookies Terms of service

Special usage:

Video surveillance cloud storage

Tutorials

FTP 101 – Part 3: Authentication, is plain FTP secure?FTP 101 - part 2: FTP transfer types – ASCII vs. BinaryFTP 101 - part 1: Active vs passive connectionsHow to Create a Simple SFTP Backup Script Using SSH Keys Read all tutorials

Looking for an all-in-one time tracking, timesheet, and invoicing solution - visit our sister company Nureti at https://nureti.com.