I think passwords are always sensitive. If a user is creating a password variable, I think the Is sensitive property should be enabled by default.
I think this should also be included in a conversion script that will merge all passwords to sensitive fields.
Yes, will implement this for next version.