This post has NOT been accepted by the mailing list yet.
it seems, that the Sonar Plugin do not hide the password and username anymore, when we are using the maven-like SonarQube analysis of the plugin (for the standard one "Invoke Standalone Sonar Analysis" it is still working).
We discovered that it still worked with the Jenkins version 1.580.1.
With the version 1.596.3 it is not working anymore. The passwords are not hided anymore and so everyone can see them.
As it was working with an previous Jenkins version, it seems that the Jenkins core is causing the problem, but I do not know how the masking is working in Jenkins core, and thats why I am posting it in here, maybe you know how to fix it :)