In general, it is not a good security practice to send passwords unencrypted, even over your intranet. As has been mentioned, FTP is not encrypted. Of course, if you have not set up your web page with SSL, neither is your web session, so changing to SSH will not really solve the problem.

If your web server is Apache, you can use mod_auth_pam or mod_auth_shadow. More info would be needed about the web server and OS to get more specific ...