Passwords and secrets are stored in memory in cleartext as plain strings
This means they can be accidentally logged, printed, or otherwise leaked. It'd be better to have a custom type that can't be printed or logged. Maybe not even cloned. The secret should not be possible to extract form the type: the type should implement itself any operations the require the secret.