As detailed in MBS-9207, supporting HTTP Digest auth requires the server to store the password in almost-plain format. Until the support for Digest can be removed, we should offer security-conscious users the option not to store an ha1 value (which means that they can’t use Digest auth, but aren’t as vulnerable in case their data should be exposed).