There are certain "commonly accepted port-numbers," and these are usually less-than 1024, which (briefly) requires root-privileges for the server to open them.
By "secure," the question is, "what do you
mean by that?" The FTP protocol does not encrypt the traffic that's passing over the net; S
FTP does. FTP also uses "simple password" authentication, which means that at some point a password is passing over the wire, unencrypted. But SFTP can
accept "simple passwords," too.
Basically, if you want truly-secure communication, you have to eliminate passwords.
There must be nothing,
open to the public Internet, that anyone can "try to send a 'user-name and password' to," period
When you go to work, you probably have to use a badge
. You can't duplicate the badge, it's assigned uniquely to you, and when you leave the company your
badge drops dead. (I have an Apple badge, for instance, but it won't get me into the front door at Cupertino now.)
Certificate-based security can do the same thing.