FileZilla has other issues as well: for example, for the longest time they refused to encrypt stored passwords, although the bug's been reopened now so they may change their mind: http://trac.filezilla-project.org/ticket/5530
This isn't "wow", it's true. The plaintext password is required to login to servers, so if you store it locally in an encrypted form then the decryption key must also be stored locally. If an attacker was able to get your encrypted password then the attacker is just as easily able to get your encryption key.
For the same reason, Pidgin and many other IM programs also do not encrypt the password.
The windows crypto APIs can encrypt secrets secured by the windows account. This would protect against attacks by other users on the system who don't have permissions to impersonate the user who encrypted it, as well as protect against offline reading of the files.
It doesn't stop every attack, but it's not useless.
>This would protect against attacks by other users on the system who don't have permissions to impersonate the user who encrypted it
Outside of enterprise environments, most windows installations are single user. Even if it's a multi-user system, the data would already be protected by NTFS permissions if it was stored in the user's profile folder.
>as well as protect against offline reading of the files
They may be operating under Pidgin's logic whereby if they can decrypt the password without user intervention, then all the information needed by a malicious user to decrypt the password is already on the system to be grabbed.
Still should go with the browser/password manager approach of using a master password to decrypt the password database.
