It does indeed have the password reveal function for convenience. This way the user can make sure a correct password is used in scanning.
While, like you mentioned, it could be a security risk, sharing a configuration file invariably means that passwords must go into that file. The passwords are encoded (not clear text), but whoever receives the file has at least two other options to recover them, even if password reveal function did not exist:
- The hard way, and not legal: reverse-engineer the scanner's code and find out how to decode them directly from the config file; or
- The easy way: use any app that reveals passwords in bullets-hidden edit fields. While MS has made it impossible in Windows 10, nothing would stop someone from running the scanner in Windows 7 and use for example BulletsPassView.
So even if we removed the password-reveal function, there are ways to extract stored passwords from a config file. The only reliable solution I see here is to remove access credentials from shared config files or create some sort of temporary accounts on your equipment.