If you're transferring files via FTP, there's something you should know: standard FTP sends your username, password, and every file completely unencrypted. Anyone on the same network can see everything with basic packet-sniffing tools. This isn't a theoretical risk. File transfer vulnerabilities have caused some of the largest data breaches in recent years.

The good news: securing your transfers is not complicated. You just need to use the right protocol and follow a few practices.

Why plain FTP is a problem

FTP was designed in 1971, long before internet security was a concern. It transmits everything in cleartext, including login credentials. On a coffee shop Wi-Fi, a compromised router, or even a corporate network with a bad actor, your files and passwords are fully exposed.

This isn't just about personal files. In 2023, a vulnerability in the MOVEit file transfer platform affected over 3,000 organizations and an estimated 100 million users. In 2024, financial services firm Finastra had its SFTP platform compromised, potentially exposing data from banks worldwide. In 2025, critical vulnerabilities in Wing FTP Server and CrushFTP were actively exploited in the wild.

The pattern is clear: file transfer is a high-value target, and using unencrypted protocols makes it trivially easy to exploit.

SFTP vs FTPS vs FTP: which to use

SFTP (SSH File Transfer Protocol) is the strongest choice for most users. It encrypts everything over a single SSH connection on port 22. It supports key-based authentication (no passwords sent over the wire), and its single-port architecture makes firewall configuration simple. If you have a choice, use SFTP.

FTPS (FTP over TLS) adds SSL/TLS encryption to the original FTP protocol. It's secure when configured correctly, but it inherits FTP's dual-channel architecture (separate control and data connections), which complicates firewall rules and NAT traversal. It also requires SSL certificate management. Use FTPS when your server doesn't offer SFTP.

Plain FTP should only be used on isolated internal networks where the traffic never touches the internet. Even then, consider whether SFTP would be just as easy to set up.

Use SSH key authentication

Passwords can be guessed, phished, or intercepted. SSH keys are cryptographically strong and practically impossible to brute-force. A 4096-bit RSA key or an Ed25519 key provides security that no password can match.

To generate a key on your Mac, open Terminal and run:

ssh-keygen -t ed25519 -C "your-email@example.com"

This creates a key pair in ~/.ssh/. Add the public key to your server's authorized keys. Then configure your FTP client (or FTPull/FTPush) to use the private key instead of a password.

To store the key passphrase in macOS Keychain so you don't have to type it every time:

ssh-add --apple-use-keychain ~/.ssh/id_ed25519

Credential storage on Mac

Where your FTP credentials are stored matters. Some apps store passwords in plaintext configuration files or preference plists on disk. If malware or an unauthorized user accesses your Mac, those credentials are immediately compromised.

The secure approach is to use macOS Keychain, which encrypts credentials and protects them with your Mac's login password. FTPSuite stores all connection credentials in Keychain rather than in app-specific files. This leverages Apple's built-in encryption and access controls.

Be aware that Mac infostealers (like Atomic Stealer and Banshee) specifically target Keychain data. To protect yourself: keep macOS updated, enable FileVault disk encryption, use a strong login password, and be cautious with downloads from unknown sources.

Best practices checklist

How FTPSuite handles security

FTPSuite (FTPull and FTPush) is designed with these practices in mind:

The security of your file transfers depends on the protocol you choose and how you manage credentials. The tools exist. Use them.