WinSCP can protect stored passwords by strong AES cipher. In order to protect such sensitive information you need to set a master password. When a master password is not set, stored passwords can be easily decrypted by malicious software that have infiltrated your computer.
If you set the master password, each new instance of WinSCP will ask you to enter the master password the first time it needs to access protected passwords or protect new password.
Later you can change or remove the master password. If you remove the master password, passwords will not be protected anymore.
You can set master password in preferences.
When you forget your master password, there is no way to recover it, nor the protected passwords.
You can at least reset WinSCP back to unprotected state. Naturally, you lose all the protected passwords.
To reset master password, remove
Configuration\Security configuration section/key.
You also need to remove all protected passwords. For this, search for and remove all
TunnelPassword values from configuration subsections/subkeys of