currently we dont show password in the NSPR log. But should we show username? Currently we do show username in the log fx when user authenticated usergroups. So perhaps we shouldn't remove the username in the NSPR log the same when as we do for passwords for NNTP, POP and IMAP.
I am trying to use this log to diagnose a problem. Removing the username would be a serious inconvenience. At sufficient levels of detail the NSPR log shows the contents of emails downloaded from the server. What is to be gained by hiding the username? If you're worried about funny business with the invoking command or the log itself anyone who could manipulate those probably could get at other Mozilla files within the user profile.
RESO WONTFIX per last comment