these store pin/pw in your user config files - it may be primitively hashed to obscure it, but it's there. it never pretended to have secure storage and even saved cleartext until e19. make sure people are aware