Why would you need to worry about these at all?
The password is supposed to be given to bcrypt, and the result from bcrypt is something that's usually not suitable for attacks on anything.
So yeah, it may be sensitive, if you store plaintext passwords, but then that'll be the least of your worries.
