Your description of the problem sounds correct. If the "user" that is running PHP is not assigning public read permissions to uploaded files, then you'll need to adjust either the user or php so that uploaded files are given public read permissions.To address your concerns regarding security:
 The user password file is the "users.php" file which is a file inside your database folder. If you look at your database folder, you'll see how it works.
 The passwords are encrypted.
 I think your best solution is to create your database folder so that it is "outside" the web root. This means it is not accessible with a browser, and someone would need to actually hack your server, fine and get to the file (in an known location), and then decrypt the passwords. (In which case, getting to the users.php file is likely the least of your worries.)
 If you want to implement additional security around the snippetmaster program files, you can use something like .htaccess authentication or the IIS equivalent, which is built-in authentication system to access any files in specified folders. (Put an .htaccess authentication requirement into the database folder.)
I have not received any reports of security related issues with snippetmaster, and security is always something I think about when programming and designing the system.