Your system must be cacheing the password someplace, because it gets placed in the header on the tape, and must be furnished before standard tape access is allowed.
We did have someone report a while ago that a 3rd party app that would restore a single mailbox from a stores backup could bypass the password, because it was doing it's own tape access, apparently