In regards to cleaning a database with previously stored passwords, it seems that the wp_signups table can have the meta info cleared for any user that has already been activated (since this info has been copied to the "active" location for user info).
Then there's just the users that have yet to be activated. These still need the password to remain intact in order for that password to be used for their login, and this is the expected behavior moving forward. These signups can be purged at the administrator/owner's discretion if they aren't activated within a certain duration.
This isn't implemented within the plugin, but I'm just stating possible actions that can be done to the database for others looking for suggestions. *I should state these methods are, as yet, untested so be sure to backup your database before doing anything (which you should be doing anyway).