BIOS setup driver may provide capability for admin password or user password. In Edk II sample driver -
MdeModulePkg\Universal\DriverSampleDxe, the password is saved to variable. However, this code in this sample driver might be copied to production code.
EncodePassword function only uses a simple XOR with constant key to encode password and save to variable. The variable can be read by anyone. The malicious code to get the variable, and use XOR with this constant key to get the password easily.