I think the catch is whether the passwords are unencrypted in memory constantly, or only during a short period when the password is being used?