It is a security risk for any application, and can have legal ramifications. In the following example, a developer's debugging code was accidentally checked into source code control and a few weeks later all user private passwords were found in the console log for Tomcat – in production:
public void setKeyPassword(String password)
{
System.out.println("Setting key password: " + password);
this.keyPassword = password;
}
This could also occur if all web service calls were logged arbitrarily and one of the calls was a login(username,password) call.
If you must debug passwords, do it in such a way that it can never inadvertently be checked into the project.