The password to each site is encrypted before it’s written to the config file, then decrypted and passed to the Lync / SfB client as clear text in an API call.
If you’re concerned for the security of your passwords, consider letting Lync / SfB cache the credentials – that way bounSky doesn’t need to know your password.
