@bjacobse Yes, you are absolutely right, and that password only is required when you trig the device inside controller.
I mean, if you click the icon in controller for that device and device is protected, it asks for password.
And if you also use HTTP API, you need to provide password as well.
So if you want to trig the device from other Mysensor node (my case), it does not know about the protection and you can directly send the message to trig the device on or off.