SSH keys are really what should be used, but they are only used by roughly 2/3 of people, with a few people even using both. Some of this is probably due to aggressive outbound firewalls, other IT policies, and SSH key forwarding being futzy. We can:
- Document best practices.
- Let people protect themselves: , or maybe a configuration in the user profile for blocking Git password authentication.
- Add a message to the Git daemon to let people know when password auth is used and link to documentation.
- Wait and see if password use drops to a low-enough level.