Thanks for letting us know - I’ve raised this issue for this to be addressed in an upcoming release.
If this is an immediate problem, you can work around this, by making use of variable substitution instead.
Another option is to copy this step into your custom template library, and apply the sensitive flag to that ones password field, and then use that step instead.