I know that it only shows you the password in plain text if A) have access to the machine and B) if you enter your machines user login password
B is true for Keychain Access but not for the security system in general. If the login keychain is unlocked, like it is by default when you are logged in, you can use security to see all passwords in the login keychain without having to enter any password:
security dump-keychain -d ~/Library/Keychains/login.keychain security find-internet-password -s accounts.google.com -w You only have to press an allow button and the password is shown in plain text. Actually it's weird (and misleading) that Keychain Access and Safari do require entering the password of the keychain when you try to show a password.
There are at least three ways to reset the login password in single user mode or from the recovery partition. None of them reset the password of the login keychain though. If you try to log in after resetting the login password, you can't see any passwords in the login keychain, use auto-fill in Safari, or log in automatically in Mail. But if for example you use a Gmail address for your Apple ID, you have enabled automatic login in Gmail's web interface, and you don't use two-step verification for the Apple ID, an attacker could use the Gmail account to reset the Apple ID password. If the "Allow user to reset password using Apple ID" option in the Users & Groups preference pane is enabled, the attacker could then use the Apple ID to reset the password of the login keychain.
The hash of the login password is stored in /var/db/dslocal/nodes/Default/users/username.plist in 10.7 and 10.8. If your login password (which is usually also the password of the login keychain) is simple enough, the hash can be cracked in a practical amount of time with DaveGrohl:
$ sudo dave -u $USER -- Loaded PBKDF2 (Salted SHA512) hash... -- Starting attack -- Found password : 'y8d' -- (incremental attack) Finished in 879.274 seconds / 31,385 guesses... 35 guesses per second. 10.7 used a weaker key derivation function, which made it easy to crack even relatively complex passwords. 10.8 switched to PBKDF2, which limits cracking tools to about 10 guesses per second per core.
If you have enabled automatic login, the password of the login keychain is stored in /etc/kcpassword in an easy to decrypt form as of 10.8.
If you want to allow someone to use your account but not see passwords with security, you can lock the login keychain from Keychain Access or with security lock-keychain.
When you are away from the computer, you can lock it by for example checking "Require password immediately when after sleep or screensaver begins" from the Security preference pane and pressing control-shift-eject to turn off displays.
You can also enable locking the login keychain automatically from Keychain Access.
If you want to prevent people who have physical access to your computer from starting up in single user mode (and resetting the login password or seeing the hash of the login password), enable FileVault 2.