I may have misconfigured my HA core 2025.1.3 system because cat core.config_entries shows the mqtt password in the clear. Is there a setting to make it be stored as a hash?
Firstly, no. HA is basically unsecured once someone get access to the configuration files.
Secondly, a hash wouldn’t work. MQTT needs actual credentials, and the concept of an hash is that it cannot be “reversed” into an actual password.
Thirdly, encrypting the password HA side would be an improvement, but as it would need to be decrypted and that HA is open source, it would only add a very thin layer of pseudo-security, but I agree it would be better than nothing.