The way to do this is via a onUpdate trigger within your mapping:
1. Remove your password property mapping from your OpenIDM -> SQL Server mapping. This will ensure that under normal circumstances the password will never be pushed out to the remote SQL Server.
2. Add a onCreate trigger within your OpenIDM -> SQL Server mapping which performs the following:
var clearObj = openidm.decrypt(source);
target.password = clearObj.password;
The above will decrypt the full source object and set the target.password to the current decrypted Managed User password whenever a Create operations is executed.