Credentials (login/pw) are associated with the connection. This works the same as credentials associated with other data sources like SQL Server. The username is stored in the .twb file, but the password is not.
Are you using basic auth or OAuth or something else?
The tableau object in a web data connector has a connection name, and username and a password. So your are saying that the credential is associated with this tableau object and not with the Web Data Connector?
If that is the case, I would like to request that you add a new tableau object property "authScope" which could take values of "connection", "url", or "domain"
The reason for this should be clear. If I have a Tableau workbook with ten connections to the same Web Data Connector, the user shouldn't have to manage ten different passwords - they more likely have a single password or API key for the site. In Microsoft Power Query, web data connections can be scoped to the domain or the url, and that makes credential management pretty smooth.
Also please see this related thread where I am finding that passwords aren't getting sent to the data processing phase: How should "edit" work?
That's an interesting suggestion. I will definitely pass it along to the team working on WDCs.