We could also consider a setting and/or privilege on whether to pass through existing passwords at all, and instead only allow them to be changed. This would require more work though.

Actually the show/hide button should be there even when there's no default password. It's an accessibility feature for those who are not confident in their typing.

However, as a stopgap, browser extensions do exist:
https://addons.mozilla.org/en-US/firefox/addon/show-me-the-passsword/?src=recommended
https://chrome.google.com/webstore/detail/show-and-hide-passwords/panhbjhhhpldcicghpekhonnmfnpgibd

Note you need to put spellcheck="false" on any field that is converted from type="password" to type="text", as there is a security concern:
https://it.slashdot.org/story/22/09/19/2133252/microsoft-edge-google-chrome-enhanced-spellcheck-feature-exposes-passwords?utm_source=rss1.0mainlinkanon&utm_medium=feed

We also need to consider hybridauth.xml, which is a config file which can contain raw keys in. I think anywhere a key can be defined should support Tempcode, so you could do {$VALUE_OPTION,facebook_private_key) for example, and then set that in Commandr:
:set_value('facebook_private_key', 'abcdef');

EDIT: This is now implemented using the new keys.csv importing mechanism from admin_config.