Is above correct?
You are encoding characters you do not have to, but it does not hurt.
The only suspect is the double-quote. The one included in your post is not the standard "quotation mark" (what is
%22), but "right double quotation mark" (what is
Find out which one is actually included in your password. Also as the "right double quotation mark" is not ASCII character, there can be encoding problem between WinSCP and the server. It is better to avoid such characters.
Also Unicode characters in URL encoding are supported in recent versions only:
Make sure you are using the latest version of WinSCP.