Comment 6 for bug 1009262

It appears this issue has been around for a while. As mentioned in earlier comments, it's a tricky one to solve. We need to move the password around in plaintext because eventually it has to be passed as a plaintext string to the PHP core function ldap_bind().

As mentioned above, we could reimplement things so that the password is an object property instead of a string, and that would make it less likely to be printed out in a stack trace. We could even take things a step further and obfuscate the password, scrambling it in some reversible way using a random string as a key.