We have a few integration points which use a specific set of user and password for connecting to the interfaces.
We have currently added these passwords as configurations under runmodes, so that we can configure on per environment\runmode basis.
The passwords in these configurations are stored in plain text and anyone having access to CQ will be able to read these values.
I am polling the group for checking if there are options for masking\encrypting the passwords in configurations so that they are not visible in plain text. Also if you have any other ways to "hide" the passwords from the users, please suggest the same.
Thanks Yogesh, the post has been helpful and can apply for the configurations being maintained in the apache felix.
Also there is another flavour of configurations where for example some user and password need ot be stored in plain text in a conf file for LDAP integration. As per my undertsanding there isnt a way to encrypt the same.
Just now i published the article  applicable to cq5.5 onwards hope you find it helpful. I have filled a documentation update request.