This bug report is a summarized version of this blog post:
(It may actually be easier to just read the blog post.)
When logged in as admin, the form for adding/editing a new user does not have a password confirmation field. While this makes a kind of logical sense (no need to confirm the password since admin is setting it for the target user, not for admin), in practice the result is that admin may, out of habit, just re-paste the password into the Real Name field in the form, mistakenly assuming it is a password confirmation field, since that's where such a field would usually be (right after the original password field).
The result is a rather severe failure: the password is displayed in cleartext on the user listing, where the user's real name would usually be.
The fix is simple:
On or before form submission, check whether Real Name and Password have the same value. If they do, pop up a warning and get confirmation that this is really intended (which it almost surely is not).