Warn & deprecate users using insecure / cleartext credentials in nuget.config files

[JonDouglas]

NuGet Product(s) Involved

NuGet SDK

The Elevator Pitch

RIght now there is no warning to end-consumers who use configuration-based authentication that their credentials are insecure.

We should warn them and encourage them to use a proper credential manager or something that guarantees encryption given the lack of a cross-platform guarantee through #1851.

We should update https://learn.microsoft.com/en-us/nuget/consume-packages/consuming-packages-authenticated-feeds to discourage use of nuget.config credentials as well.

A warning might appear in the product similar to what other providers do when credentials are stored in plaintext i.e. https://github.com/git-ecosystem/git-credential-manager/blob/main/docs/credstores.md :

⚠️ WARNING ⚠️

This storage mechanism is NOT secure!

Secrets and credentials are stored in plaintext files without any security!

It is HIGHLY RECOMMENDED to always use one of the other credential store
options above. This option is only provided for compatibility and use in
environments where no other secure option is available.

If you chose to use this credential store, it is recommended you set the
permissions on this directory such that no other users or applications can
access files within. If possible, use a path that exists on an external volume
that you take with you and use full-disk encryption.

Additional Context and Details

No response

[nkolev92]

Team Triage: We should consider the impact, how many users are using these passwords.

Also, on non-Windows users have no option to encrypt the passwords.

We could emit a high importance message indicating that it is not encouraged to use plain text passwords with a flag so users can suppress the message.