I just noticed (in dealing with a webapp that appears not to handle accidental SQL-injection attacks in passwords gracefully) that 1Password reveals my old password in clear text. See below:
I see that when a field matches the current password, it is masked with bullets. However, if a field matches a previous password, as is the case with user_pass_confirm, it does not. Seems like including prior passwords in the list of values to mask would be a good idea. Clearly (as I'm posting it here), I don't consider my old password a big liability. But it's the principle of the matter.