It makes sense that when accessing another database with a DB Link relying on a password, the client database has to know the password in order to convince the destination database to let it in.
And if the database knows how to do it, then someone in a white, black or grey hat will work it out.

Of course, if you have the privileges to do a simple DBMS_METADATA.GET_DDL on a database link, it gives you a gibberish version of the password. And that is sufficient for you to recreate the database link on another database.

There is a difference, a small difference, between having that hashed/crypto value and the actual password though.

http://www.oracleforensics.com/wordpress/index.php/2012/11/22/database-link-security/
Shared publicly