You should hide the username/password in your ~/.m2/settings.xml. Use settingsKey in your POM as a lookup key.
<settings>
[...]
<servers>
<server>
<id>serverId</id>
<username>username</username>
<password>password</password>
</server>
[...]
</servers>
[...]
</settings>
It’s also possible to use encrypted passwords. Follow the instructions in the encryption mini guide. Just like unencrypted passwords you have to be sure to set the settingsKey.
If the password can be decypted the plugin will do so, otherwise the encrypted password will be returned.