[HamletEagle]

I don't see any problems with the code for multiple reasons:
1. get_user_info is a native that has legitimate uses and "_pw" is just like any other client info values which can be retrieved.
2. The default admin system from AMXX does this in order to implement the password functionality for admins.
3. Server owners supposed to change amx_password_field to something unique, in order to prevent(to some extent) password leaks.

The code itself is fine and even if we delete it, if someone has half a brain he can extract it from admin.sma or figure out how to write such trivial code on his own.
However, what you can argue about is the insecure admin system design because of the usage of client info to store passwords. And even then, it's not like you have no other options:
-listen to the warning from amxx.cfg and change the setinfo field from _pw to something else
-use steamids instead of name + password for your admins. There's absolutely 0 reason not to use steamids in a steam only server. Therefore, the exploit is mostly a non-steam issue.

"But why does amxx allow password logins if I'm supposted to use steamids?"
The option is there if you want to use it and accept the risks and for compatibility reasons(it can not be removed because amxx must remain backwards compatible). A much safer alternative exists, people should use it. If they don't, it's their own fault.