Debug log is for debugging. You may need to see the password to debug a problem.
I am using WinSCP.exe plus the .NET component in an automated environment where I want to let users configure the system to write a debug log to disk in cases where they think the remote FTP server or interaction with the WinSCP component is the problem. Short of me doing some post-processing on the debug log, which is unreliable since I am not the maker of the log, we have potential to have passwords sitting in plain-text in a server-environment. When writing the log the password is known so can we have an option to mask all instances of it before writing the debug log to disk? If the option were added, it seems logical to make masking the password the default behavior and make users flip a bit to log the password in plain-text.