This applies to all kind of sensitive fields in the RACF database, like password, passphrases (although encrypted), certificate keys, etc.CKGRACF is a zSecure command that can be used to set a password/phrase. These are hidden in the command output. But that is independent of the CKNDSN setting to hide/allow showing of the sensitive field-values for all the existing profiles.
If you look at the RACF templates, there is a flag that specifies if the field in the RACF database is considered "sensitive". zSecure hides these (and a few more) by default.