diff --git a/lib/plugins/authad/auth.php b/lib/plugins/authad/auth.php
index 6e4f85f36847779048b0cd5ca94dff6406ec7177..7f557975abd605fb8c4a017cde3b46fcbf0dd1e5 100644
--- a/lib/plugins/authad/auth.php
+++ b/lib/plugins/authad/auth.php
@@ -642,6 +642,7 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin {
         // compatibility with old option name
         if(empty($opts['admin_username']) && !empty($opts['ad_username'])) $opts['admin_username'] = $opts['ad_username'];
         if(empty($opts['admin_password']) && !empty($opts['ad_password'])) $opts['admin_password'] = $opts['ad_password'];
+        $opts['ad_password'] = conf_decodeString($opts['ad_password']); // deobfuscate
 
         // we can change the password if SSL is set
         if($opts['use_ssl'] || $opts['use_tls']) {
diff --git a/lib/plugins/authad/conf/metadata.php b/lib/plugins/authad/conf/metadata.php
index 25c4ab4134decacef4f19eefe7090b4f2514293f..6b0fc168bcf0e934ea9ba5bd292b0c9ed5a7892d 100644
--- a/lib/plugins/authad/conf/metadata.php
+++ b/lib/plugins/authad/conf/metadata.php
@@ -6,7 +6,7 @@ $meta['domain_controllers'] = array('string','_caution' => 'danger');
 $meta['sso']                = array('onoff','_caution' => 'danger');
 $meta['sso_charset']        = array('string','_caution' => 'danger');
 $meta['admin_username']     = array('string','_caution' => 'danger');
-$meta['admin_password']     = array('password','_caution' => 'danger');
+$meta['admin_password']     = array('password','_caution' => 'danger','_code' => 'base64');
 $meta['real_primarygroup']  = array('onoff','_caution' => 'danger');
 $meta['use_ssl']            = array('onoff','_caution' => 'danger');
 $meta['use_tls']            = array('onoff','_caution' => 'danger');
diff --git a/lib/plugins/authldap/auth.php b/lib/plugins/authldap/auth.php
index 90ec770e9dc0d50e65155f0f61dd32a7964d1b8d..4c9c17786e1653e8767f752ab987d5141ab23aec 100644
--- a/lib/plugins/authldap/auth.php
+++ b/lib/plugins/authldap/auth.php
@@ -60,7 +60,7 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
         // indirect user bind
         if($this->getConf('binddn') && $this->getConf('bindpw')) {
             // use superuser credentials
-            if(!@ldap_bind($this->con, $this->getConf('binddn'), $this->getConf('bindpw'))) {
+            if(!@ldap_bind($this->con, $this->getConf('binddn'), conf_decodeString($this->getConf('bindpw')))) {
                 $this->_debug('LDAP bind as superuser: '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
                 return false;
             }
@@ -165,7 +165,7 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
         // force superuser bind if wanted and not bound as superuser yet
         if($this->getConf('binddn') && $this->getConf('bindpw') && $this->bound < 2) {
             // use superuser credentials
-            if(!@ldap_bind($this->con, $this->getConf('binddn'), $this->getConf('bindpw'))) {
+            if(!@ldap_bind($this->con, $this->getConf('binddn'), conf_decodeString($this->getConf('bindpw')))) {
                 $this->_debug('LDAP bind as superuser: '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
                 return false;
             }
@@ -307,7 +307,7 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
         } elseif ($this->getConf('binddn') && $this->getConf('bindpw')) {
             // we are changing the password on behalf of the user (eg: forgotten password)
             // bind with the superuser ldap
-            if (!@ldap_bind($this->con, $this->getConf('binddn'), $this->getConf('bindpw'))){
+            if (!@ldap_bind($this->con, $this->getConf('binddn'), conf_decodeString($this->getConf('bindpw')))){
                 $this->_debug('LDAP bind as superuser: '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
                 return false;
             }
@@ -550,7 +550,7 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
             }
 
             if($this->getConf('binddn') && $this->getConf('bindpw')) {
-                $bound = @ldap_bind($this->con, $this->getConf('binddn'), $this->getConf('bindpw'));
+                $bound = @ldap_bind($this->con, $this->getConf('binddn'), conf_decodeString($this->getConf('bindpw')));
                 $this->bound = 2;
             } else {
                 $bound = @ldap_bind($this->con);
diff --git a/lib/plugins/authldap/conf/metadata.php b/lib/plugins/authldap/conf/metadata.php
index a67b11ca65d2d8c2436acc8a2643ee255e65fcba..f32aed1914bb9ac09e39ce82b43a6791cc12277d 100644
--- a/lib/plugins/authldap/conf/metadata.php
+++ b/lib/plugins/authldap/conf/metadata.php
@@ -10,7 +10,7 @@ $meta['starttls']    = array('onoff','_caution' => 'danger');
 $meta['referrals']   = array('multichoice','_choices' => array(-1,0,1),'_caution' => 'danger');
 $meta['deref']       = array('multichoice','_choices' => array(0,1,2,3),'_caution' => 'danger');
 $meta['binddn']      = array('string','_caution' => 'danger');
-$meta['bindpw']      = array('password','_caution' => 'danger');
+$meta['bindpw']      = array('password','_caution' => 'danger','_code'=>'base64');
 //$meta['mapping']['name']  unsupported in config manager
 //$meta['mapping']['grps']  unsupported in config manager
 $meta['userscope']   = array('multichoice','_choices' => array('sub','one','base'),'_caution' => 'danger');
diff --git a/lib/plugins/authmysql/auth.php b/lib/plugins/authmysql/auth.php
index 1b7d0bfa4ea0668eb1d4911e67622b03c52de4dc..999542a3deb5288b6879c85fd11b749ebeecf727 100644
--- a/lib/plugins/authmysql/auth.php
+++ b/lib/plugins/authmysql/auth.php
@@ -874,7 +874,7 @@ class auth_plugin_authmysql extends DokuWiki_Auth_Plugin {
      */
     protected function _openDB() {
         if(!$this->dbcon) {
-            $con = @mysql_connect($this->getConf('server'), $this->getConf('user'), $this->getConf('password'));
+            $con = @mysql_connect($this->getConf('server'), $this->getConf('user'), conf_decodeString($this->getConf('password')));
             if($con) {
                 if((mysql_select_db($this->getConf('database'), $con))) {
                     if((preg_match('/^(\d+)\.(\d+)\.(\d+).*/', mysql_get_server_info($con), $result)) == 1) {
diff --git a/lib/plugins/authmysql/conf/metadata.php b/lib/plugins/authmysql/conf/metadata.php
index 54d6f14041161cf916ed19bc41a997f7aa581c97..bad34e669b72e3b515d0a499bddd7f399b3ab6b1 100644
--- a/lib/plugins/authmysql/conf/metadata.php
+++ b/lib/plugins/authmysql/conf/metadata.php
@@ -2,7 +2,7 @@
 
 $meta['server']           = array('string','_caution' => 'danger');
 $meta['user']             = array('string','_caution' => 'danger');
-$meta['password']         = array('password','_caution' => 'danger');
+$meta['password']         = array('password','_caution' => 'danger','_code' => 'base64');
 $meta['database']         = array('string','_caution' => 'danger');
 $meta['charset']          = array('string','_caution' => 'danger');
 $meta['debug']            = array('multichoice','_choices' => array(0,1,2),'_caution' => 'security');
@@ -31,4 +31,4 @@ $meta['UpdateEmail']      = array('string','_caution' => 'danger');
 $meta['UpdateName']       = array('string','_caution' => 'danger');
 $meta['UpdateTarget']     = array('string','_caution' => 'danger');
 $meta['delUserGroup']     = array('','_caution' => 'danger');
-$meta['getGroupID']       = array('','_caution' => 'danger');
\ No newline at end of file
+$meta['getGroupID']       = array('','_caution' => 'danger');
diff --git a/lib/plugins/authpgsql/auth.php b/lib/plugins/authpgsql/auth.php
index 4cb280aae34063687f2daed571cd20485905015d..7b677d3d7394dd6bbb84ece3cdc8ca02ec5416f9 100644
--- a/lib/plugins/authpgsql/auth.php
+++ b/lib/plugins/authpgsql/auth.php
@@ -303,7 +303,7 @@ class auth_plugin_authpgsql extends auth_plugin_authmysql {
             $dsn .= ' port='.$this->conf['port'];
             $dsn .= ' dbname='.$this->conf['database'];
             $dsn .= ' user='.$this->conf['user'];
-            $dsn .= ' password='.$this->conf['password'];
+            $dsn .= ' password='.conf_decodeString($this->conf['password']);
 
             $con = @pg_connect($dsn);
             if($con) {
@@ -428,4 +428,4 @@ class auth_plugin_authpgsql extends auth_plugin_authmysql {
         }
         return $string;
     }
-}
\ No newline at end of file
+}
diff --git a/lib/plugins/authpgsql/conf/metadata.php b/lib/plugins/authpgsql/conf/metadata.php
index fbd0512702fb668351cb48d7916fa0cd8199899e..cb9c4564366fea2848d352fa5a780813cd44cd6c 100644
--- a/lib/plugins/authpgsql/conf/metadata.php
+++ b/lib/plugins/authpgsql/conf/metadata.php
@@ -3,7 +3,7 @@
 $meta['server']           = array('string','_caution' => 'danger');
 $meta['port']             = array('numeric','_caution' => 'danger');
 $meta['user']             = array('string','_caution' => 'danger');
-$meta['password']         = array('password','_caution' => 'danger');
+$meta['password']         = array('password','_caution' => 'danger','_code'=>'base64');
 $meta['database']         = array('string','_caution' => 'danger');
 $meta['debug']            = array('onoff','_caution' => 'security');
 $meta['forwardClearPass'] = array('onoff','_caution' => 'danger');
@@ -30,4 +30,4 @@ $meta['UpdateEmail']      = array('string','_caution' => 'danger');
 $meta['UpdateName']       = array('string','_caution' => 'danger');
 $meta['UpdateTarget']     = array('string','_caution' => 'danger');
 $meta['delUserGroup']     = array('','_caution' => 'danger');
-$meta['getGroupID']       = array('','_caution' => 'danger');
\ No newline at end of file
+$meta['getGroupID']       = array('','_caution' => 'danger');