jordanjay29 that's a good point.
I'm not sure removing access to the current value is the best default. I sometimes find myself checking which set of credentials I entered, or comparing the secrets with those from the third-party to make sure it's up to date. This can also be valuable info to send to the third-party support when there is an issue. Also sometimes the third-party service doesn't show you the password again ever, and it's useful to copy-paste here from the Flarum config.
But removing the value would also make sense for various security purpose. Rogue admins are one thing, but more importantly I think would be compromised admin accounts. If you steal the password of any of the admins, you also get access to SMTP credentials that could be used for spam. Depending on the extensions installed, other important credentials could be exposed. Social login credentials are probably low risk.
No idea if this should be an option in core or not. Hiding all secrets could be delegated to an extension for forums that need the extra security. The extension would have to make itself impossible to disable, which is feasable.
Extensions containing high risk credentials can already decide to never show secrets after they were entered.
Other things might need to be considered. Right now admin is already a very powerful role. If anyone gains access to admin, they can do pretty much whatever they want with the forum, accessing SMTP credentials might be the least of your worries. If Bazaar is installed, no amount of protection will do any good, as an attacker can simply install a new rogue extension that will fetch the hidden values for them or allow them shell access to the server.
