It would be great if we could provide the password for the DB connection not directly in the configuration files of frontend and server. As alternative I thought about a ENV variable or at least accepting a hashed string in the files.
I know it has been discussed some times in forum now and I found an old "Bugs and Issues" ticket too but I think it often is neglected from the wrong viewpoint. My point is not to see it as an issue if a user already on the server is reading the files - for us it's a problem because we want to have the config files in a git repository.
As a workaround we currently are using and "install" script which requests the password and injects it.