This is expected behavior.
Delivering updates using a password protected FTP site is not recommended. The password will be visible in the client.wyc file. We recommend you either delivering updates via a public FTP site (i.e. read-only and/or anonymous FTP) or via an HTTP site.
If you're looking to limit updates using an HTTP download site, then see our article How to prevent or limit updates.