I wrote a plugin that access the Settings object. That object is instantiated by maven, and contains the merge of all settings available (M2_HOME/conf/settings.xml, ~/.m2/settings.xml and "-s settings.xml").
with my plugin, I look after my corporate encoded passwords, decode them, and update the Settings object with the decoded value.
I linked my plugin with initialize, generate-resources and process-resources phases. My debug shows me that at the very first phase (initialize), the Settings object is well updated (password decrypted using our corporate tool), and the two next phases show the correctly updated Settings object - having the passwords decrypted.
However, when maven goes for downloading dependencies, it fails because maven takes the encrypted version of the password. IMHO, I think that maven reads again the settings.xml file, whether it should use the Settings object.