It's pretty obvious that the correct solution here is an encrypted store for the passwords on the filesystem, and an keyring process that keeps the unencrypted ones only in memory and hands them out to authorised applications. In other words, the exact same solution as everyone else already uses for this on other platforms (e.g. Gnome keyring, KDE's Wallet, Firefox's password/certificate store).

What seems to be lacking is any will to actually implement that.