When we introduced
MNG-553, the passwords were only decrypted at the transport layer and the Settings instance kept in memory was kept encrypted. E.g. to save plugins from accidentally dumping the plain text passwords on the console or such.
This does currently not hold for 3.0-alpha-4 as org.apache.maven.plugin:maven-help-plugin:2.0:effective-settings shows.