It seems there is a bug in eithe the global name/password configuration or the consumption of these in the job, at least in an Ant build step.

I do the following:
1. create a global password in the global configuration, e.g. PW_1=password1
2. create a new job (free-style build)
3. in the job configuration, select "Mask Passwords" (seems this is always necessary, otherwise the global password param will not be evaluated, see issue JENKINS-11924)
4. define an ant invocation build step
5. in the properties of the ant step, define password=${PW_1}
6. run the job and inspect the log --> ok
7. go back to the global configuration and define another password, e.g. PW_2=password2
8. run the job you've created in step 2 again, WITHOUT entering the new PW_2 parameter somewhere in the job configuration
9. inspect the log

result: in the log I see the following line:
[myproj1] $ cmd.exe /C '"ant.bat -file build.xml -DPW_1=******** -DPW_2=password2" build && exit %%ERRORLEVEL%%"'

This means:
a) it seems global password parameters that have been added after the job was created show up in the log, even if they are not used in the job configuration
b) these passwords are not hidden