I'm currently making a conceptual model for a project and one of my entities happens to be a USER. It's key is a userID, and the properties include firstName, lastName, emailAdr, and userName. A user will have a password after the project is implemented which makes me wonder if I should add it as a property... or would that jeopardize confidentiality?
Conceptually you have to keep a password for the user so it makes sense to store it in the user entity.
However, as pointed out by @stepio, when you look at how you will implement that, keeping a hash (in fact, a strong secure hash) is a good way to store it so it is not exposed if compromised.
On another side if you use an ORM that instantiates the entity from the table ,for example, and you have some concern about the hash traveling through out the application you may choose to put the real hash in a separate table, and keep a reference to it in the user's table. Something like a Unix shadow password.