I think too that the password should never ever be revealed once entered; not in exceptions, nor in other debug messages.
Probably adapting the AbstractFileName.toString to not print the password would fix most of this. Then the method getFriendlyURI can be deprecated as well.
I have one remark though. I really dislike the format 'scheme://user:***@host' where the password is hidden with *** ; it is kind of ugly and I don't think it serves any purpose to show the ***.
I would rather prefer 'scheme://user@host' in all cases; it is shorter and more to the point.
I hope you fix this soon.
In my opinion, when the credentials of the user were not in the URI but have been given using the Authentication in the FileSystemOptions the username should also be in the FileName.toString(), which is currently not the case.