For JpaSource connector I am storing username & password in App Server using dataSourceJndiName. For Repository user authentication & authorization, I am storing user credential in App Server using Jaas realm, by using FileRealm, the password is in Hash form. But one can implement custom realm to secure the credential in any form or datasource.
When deployed within an app server and using JPA, using the app server to manage your data sources is absolutely the best way to do that.
Outside of the app server, however, you can leave the passwords out of the configuration file, use the JcrConfiguration class to load the configuration file and set the value(s) programmatically, and then start the engine. This approach allows you to get the password from any system (e.g., a keystore, encrypted file, etc.).