In dealing with a couple of problem devices not getting transfers, I happened to look into the contents of my .RA2 project file for it.
It'd be nice if the .RA2 zip files weren't just a binary blob of data. XML, text, JSON, SQL (of which there's some in there) would be nicer, at least for debugging.
What I discovered was the passwords I've set for the telnet logins are stored as plain text in the file. It took knowing what to search for, but there they all were. I'd imagine all it would take for someone else to find them would be to search on the lead-in hex characters from a project of their own. Find that and you'd find where they all start in any project file.
Lots of configuration databases get stored this way. After all, some kind of method needs to be used to get the passwords over to the devices. But it's considered good practice to at least obfuscate them to some degree. Not just leave them with no encrypting at all.
Granted, they can just as easily bring up the whole list from the Settings->Integration window. But leaving them 'in the clear' in the config files makes it possible for anyone else not having the software to see them. So don't go leaving them on unsecured websites or shared drives.
My advice is don't share your customer .RA2 files with anyone you wouldn't also share the usernames and passwords with. Likewise, don't put any of YOUR OWN commonly-used passwords in there, otherwise you'd be exposing them for abuse elsewhere.