The Repository Password is stored unencrypted in the jobs config.xml file. I'd suggest to use global Jenkins credentials for repository authentication.
Original issue JENKINS-29432 was lost with Wiki and issue tracker outage. I just created a new one with very basis description here. Some more information can be found in Pull Request 6 for maven-metadata-plugin.
Fixed with release 1.3.0