After saving the configuration on the esp you can see the mqtt password in cleartext via the webinterface, so everyone in the wifi could see it.

Normally we would expect the devices to exist within a 'friendly' network or a private subnet so display of the mqtt password should not be an issue.
However there is no benefit to the display of mqtt user/pass on the status page so I have removed them and added system uptime in the latest beta (1.55).
Please note that any network user with access to the web interface can easily find the mqtt password from the configuration page using 'show source' in the browser or network snooping with wireshark.

Paul.