Masking the password (ie. setting the form input type to “password”) will stop over-the-shoulder password theft, but I doubt that is actually much of a threat IRL. Masking the password does nothing to actually “hide” or encrypt the password, and thus doesn’t actually improve practical security.
I suspect the problem here, and why this issue hasn’t been, and cannot be, resolved is because there is no way to store the password in the database as encrypted, and then retrieve it as text to use in the mail function. If it could be decrypted with a public function, then it would be no more secure than a plain-text password.
Saving and retrieving the password in the wp-config file only adds a mildly higher level of security, but I suppose would be a slight improvement. That, or have the plugin write the password to an included PHP file in the plugin’s folder. But again, it would still need to be plain-text (or arbitrarily encrypted), as ultimately the password needs to be plain-text for the mailer function to use.
