public function login($identifier, $identifierValue, $md5Password, $key, $redirect, $redirectHash) { 

We really need to have the ability to retrieve the plaintext password to be able to verify the password is correct. In a platform using SHA-x or blowfish hashing algorithms, the md5'd password is useless.

Fully understanding the implications(both of the password being retrievable in the first place, and that all existing masters/slaves would need updated as well), I still would recommend switching this to something like base64_encode/decode, that allows programmatic retrieval, otherwise a master on any platform using anything *not* md5 for password hashing will never exist.

Thank you for reading, and I hope this can be addressed for 4.

Can you outline the use case? The way this works in 4.0 is different (we've actually moved away from MD5 in 4.0 ourselves), but I want to be sure your use case is covered.

I can say that Connect supports a separate fetchSalt method now to retrieve the salt separately, and then you are expected to hash the password and send it through encoded. I am extremely leery of allowing the plain text password to be available over the air due to the risk of it being captured (think MITM attacks).