> I think we cannot disallow users to use plaintext login That was never the intention. The question was whether we should make a distinction of allowing plaintext over encrypted and non-encrypted streams, in order to give the user more control over his security. Now, it's all or nothing (unless you force SSL). cheers, Remko