My mistake, I thought VCS password was referring to setting a password for the "vcs user," and then sharing that password with anyone who wanted to clone repos over HTTPS. I'm glad that's not how it works =)

In addition to the things mentioned above, it'd be great if some form of per-user auth was supported via HTTPS. Perhaps this could be done by utilizing the existing user specific arc certificate, or generating a similar secondary certificate for the sole purpose of cloning repos.