After agent (or external application) writes a plain password to the HTTPPassword field, it must also execute doc.computewithform(true,true) method before saving the document. Without this method the situation will be exactly like you experience it.

There can be other reasons too, but this is the most obvious reason I can think of.

I also remember that when using “more secure Internet password” setting, the password was automatically encrypted when saving document. If this behaviour changed between R5 and R7, the result would be an unencrypted password. I can’t verify it now by myself, but it can be worth looking at.