See discussion here.
https://community.home-assistant.io/t/generic-camera-password-issues-camera-or-code
The current camera definition (at least generic IP) appears to use the explicit username/password only for the still image. Most cameras that are going to require authentication will likely require it on both the still and stream.
As currently implemented this means that one must put the password in the RTSP URL explicitly, e.g.
rtsp://username:password@location/etc
This in turn cannot be redacted by using the secrets (except by replacing the entire URL, and if you have many cameras with the same credentials that is very repetitive).
Instead, if a username/password is explicit in separate lines (as it likely is for stills), and NOT present in the stream URL, before passing off the stream URL edit the username/password into it.
Slight alternative is to provide a separate stream_username, stream_password, but it seems pretty unlikely someone would need separate credentials for still vs stream from a camera (or more to the point, not necessary and those very few could change rather than cluttering the config with two more lines).
The important aspect of this is it makes concealing the credentials in the secret file much more straightforward.
Thanks for considering.
Linwood