I was talking about security breaches from the outside, of course admins can still see it.
To overcome this issue, I’ve built a mechanism to encrypt passwords before they’re saved in the collection, the encryption-decryption process is handled by an external API on other websites, the main goal for this mechanism is to make a one-password for multiple websites that are owned by the same vendor, and store the passwords locally on each website but encrypted, so the admins of these websites can’t see what the password is, and these encrypted-passwords can’t be used to login by themselves, the login process is handled on an external API on the main website, and there’s also a mechanism to sync the password automatically on all the websites when it’s changed on any of them.
The reason why I’m telling about this is that there’s always a way to secure the process.