1-Run a web application server configured with Shiro.ini
2-take a memory dump
3-parse memory dump using eclipse memory analyzer
4-Open Object query tab
5- Execute 'select * from org.apache.shiro.authc.SimpleAuthenticationInfo' statement
6-As you will see in attachment user password is in human readable format.
Didnt test it yet but using char array instead of string and after zero filling and then forcing gc can help I think. I wasnt sure that this is a valid issue so I raise the ticket under brainstorming. thank you