I've recently discovered that the perforce plugin stores the perforce password plain text in the build.xml files used for serializing build information. This seems to be a side effect of the PerforceTagAction including the Depot object for later use during tagging, which has the password inside it. This may or may not depend upon JENKINS-2947, as that would eliminate the need for the Depot object to be stored.