When errors occur (like the collection server not responding), Picard shows the error in the GUI's status line, including http requests containing username & password in clear text. I regard this as a double security problem:
Firstly, the username and password get shown for everyone to read in the status bar.
Secondly, even with https requests, apparently the username & password get transmitted over the net in clear text, like in the example shown? (https://username:firstname.lastname@example.org/ws/2/collection)