Anyway there is the point, need to access 'hack' the server to stolen _pw field.
So the setinfo is the minor of problems in this case lol.
For me do not make any sense the excuse that setinfo _pw is exposed to someone in the server, since who have access to edit/upload plugins also have access to users.ini in amxx.
That said, use a steam id or hide _pw when player enter in a server is a complete mistake when you think in this way.