Storing username and password in plain text

To fix the issue you can do Other answers here are misleading and incorrect, although they may reassure you by mentioning transport security. The correct answer is that Windows Authentication does not send passwords in plain text.
Windows authentication works when the client guarantees to the server that the user is who they say they are. No password is transmitted over the wire.

Any of those help You should not store even machine generated passwords in plain text.
Let's see what an attacker can do, if he somehow gains only read access to your database with SQL-injection (i made a small demo how easy SQL-injection can be, just click the next-arrow to get a malicious input).

wish help you to fix your issue I'm not familiar with ASP.NET sessions, but I'm assuming they're similar to PHP sessions. In that case, the actual session data is kept in a file on the server. If you're just trying to keep your users from seeing this password, I think that keeping them in the session would be sufficient.
However, you haven't told us exactly how this username and password come to exist and are used. If you have just one username / password that your application uses to make requests to the web service, there is no point in keeping them in the session at all - simply store them in a global config.

wish help you to fix your issue yes, FTP was not designed to be a secure protocol, and does send in plaintext (even login credentials). It could easily be sniffed and read.
for security, have a look at some alternatives:

may help you . It's possible. Whenever you change the password, the software could create hash codes for all combinations of the same password with a few characters masked or removed.
If your password is hello, it could create hash codes for _ello, h_llo, he_lo, hel_o, hell_, __llo, _e_lo, _ell_, he_l_, he__o... et.c.