I've never known the password/s. I think Duncan might have changed it - he was saying he should.
We shouldn't use FTP, and it should be deactivated. FTP, like telnet, sends passwords unencrypted, so is a major security risk. I don't know if this is how the scumbags hacked the site (they could have run a dictionary attack and guessed the password), but it is a good measure to take anyway.
Does the CPanel use a secure server (yellow background in location bar)? I could show people how to use SSH (secure shell) tools as a way of transferring files. In fact, on Linux you just type something like:
scp myphoto.jpg http://www.theforest.org.uk:public_html/photos
Doing things securely on Windows is a bit more time consuming.