Passwords are stored in plain text in the tfstate file. Given that the tfstate file is stored securely in a remote backend that supports encryption, I think this is okay.
However, the tls_private_key documentation recommends not storing private keys in tfstate file for production. Does this imply the same for passwords? Is there a difference between passwords and private keys where one requires another layer of security?