I strongly suggest you still create a ticket and attach patches so that we can agree on the right approach.
Please have a look at framework/pull-agent/src/main/java/org/apache/manifoldcf/crawler/system/ManifoldCF.java . In there you will see two things: first, the code that looks up dbsuperusername and dbsuperuserpassword in order to create the database instance, and second, encryption code used for import and export of ManifoldCF configuration.
I had intended to add a property method called "getPropertyObfuscated" which would use the ManifoldCF deobfuscate() method to retrieve an obfuscated form of the property. For example, if the property was "org.apache.manifoldcf.dbsuperuserpassword", the method would first look for "org.apache.manifoldcf.dbsuperuserpasswordobfuscated" and if found would deobfuscate the results. Only if not found would it look at "org.apache.manifoldcf.dbsuperuserpassword". I still intend to make this change in MCF 2.0 and 1.8, regardless of what you wind up doing in the end.
FWIW, it is possible (and indeed I have been considering) replacing the current homegrown Obfuscate/Deobfuscate code with a real encryption algorithm. I would urge you to consider doing it that way rather than inventing something wholly new. The Java cipher framework allows you to register custom ciphers if that is what clients demand. (The import and export uses AES.) The only complication with this approach is that somewhere we'd need an encryption key, which would probably wind up being placed in properties.xml as well, or maybe buried in code. So you don't buy any real security this way, just protection from having someone see the password over one's shoulder.