wp_login_failed option is enabled, the password entered is shown to admins:
<some_username> tried to log in to <some_WP_site>
Password tried aaa
IP some.ip.address | 12.34.567.89
User agent Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0
I do not like it. Admins should NOT see what users entered - this is Big Brother. They should see there was a fail on login due to incorrect password, indeed, but not the password itself.
I am suggesting add an option (checkbox)
do not log the password entered or something like that.