It should only be in your /conf/_config.php file. Where else are you seeing it?

Apologies - it IS only the conf file, I had made a backup of the file before editing it and saw multiple results when I searched on it.

Anyway, is there a way to hide the db pw so it's not text readable in the config file?

I searched through the forum and don't find anything there about this. I know some web apps like this encrypt the db password in the config file. You could make a post in the Feature request forum asking for that. You may also want to set the permissions on your server so that the config file isn't visible to anyone you don't want it to be.

Why worry about it since no one other than those you give server access to can get at that file? Try reading it through a browser and you'll see that you get a blank page.