My IRC server requires authentication with the IRC PASS operation, which works fine if I provide my password in cleartext in znc.conf:
Server = myserver.local 6667 secret
This is the same password I use to connect to ZNC, which is stored in znc.conf as well but hashed. Ideally, I'd like to get rid of the clear text password here. I think ZNC should be able to simply use the connecting users password when ZNC itself connects to the server.
If that means that we can only login to the target IRC server when a user connects to ZNC (because only then will the cleartext password be available), that is probably fine. ZNC doesn't have to connect on startup, it can delay the initial outgoing connection until the first client incoming connection is made.
If ZNC is a proxy then it is probably safe to assume that both a connection to ZNC _as well_ as to the target server requires authentication. That authentication should occur at the same time so cleartext passwords do not have to be stored permanently.