ok, so to clarify:
1) Most important: if a computer can activate license without you putting in the password, then the password can be extracted. Encrypting won't work since the encryption key would have to be also stored locally. BFU might not be able to do it on his own, but somebody could do a BFU-friendly application for that. Always bear that in mind. The only safe way is to use Box license or the licensing server.
2) The recommended solution in untrusted environment is using the licensing server. When using the licensing server (correctly ;)), there are no passwords stored on end-user machines, only on the server. There are no passwords being sent over the local network. The password is only sent from licensing server to our server, using standard HTTPS encryption, which is impossible to intercept without having access to the server or launching a very sophisticated man-in-the-middle attack.
3) Password is stored in plain text only when using the activation via CoronaActivation.txt file. If you input the login in 3ds Max activation dialog, it will get saved to HDD in encrypted form (which is still breakable! - see #1)
4) Even when using CoronaActivation.txt, you can delete the file after initial activation - the login will then be stored in breakable, but encrypted form (same as #3), and automatic extensions of the license will work
5) You cannot lock somebody out of his account without breaking into his email - since all passwords can be reset via emailed link.
6) You cannot order new stuff after breaking int somebody's account. You can only cancel his subscriptions (Corona will still work for the period that was already paid for)