When a user can access the administrative area of the site, it is possible to view the database connection information on an existing store. When viewing the data source, as seen below, the password is replaced with a line of asterisks. However, when a user views the source of the page, the information is shown in clear text
<li title="password used to login">
<input class="text" type="password" value="SuperSecretPassword" name="parametersPanelarameters:6arameterPanel:border:border_bodyaramValue"/>
Just merged a pull request on master to fix this. Could not find anyone to review it prior to merge though.
Could you test a nightly build? Any build with a date of March 16th or later (yet to be produced at the time of writing) should contain the fix:
Will leave on master only then