It'd be nice if the new auth mechanism supports multiple passwords in the same format as well (not just one per format).
That way you could have two different passwords for a user that are active at the same time. This would simplify rolling database credentials as it wouldn't have to be done all at once. You could add the new credentials, update your app servers one by one, then disable the old ones.
A lot of systems that use API keys let you see the last time a particular set of keys was used. This helps answer the "Is this going to break something if I disable it?" question. Having a last used at timestamp for each auth mechanism (per user) would be useful.
I'm not sure how updates should work when connecting to a read-only slave though. It would need some way of letting the master know that user X connected using credentials Y.
