The password field when setting an API Key password needs to have the HTML attribute type = password, otherwise the browser will save entered passwords in plaintext, which is horrendously unsafe.
See the following as an example.
I can imagine some users not noticing this, entering their password in the browser, and then exposing that password through other text fields.