For the HTTP Listener, you are on the right track. In a mapping, extract the Authentication value. Here is a snippet of how to extract and find the md5Hash value of the password:
if (source.checkNodeExists('/Request/Headers/Authorization')) {
var authorization = source.getNode('/Request/Headers/Authorization');
var base64Decoded = qie.base64Decode(StringUtils.substringAfter(authorization, 'Basic '), 'UTF-8');
var splitArray = base64Decoded.split(':');
var username = splitArray[0];
var password = splitArray[1];
var md5Password = qie.getMD5Hash(password);
qie.debug("Authorization = " + authorization + ", base64Decoded = " + base64Decoded + ", username = " + username + ", password = " + password + ", md5Password = " + md5Password);
}
I like the users System Variable table approach. To help manage that, you could create a helper channel that can add or update a record and hash the password field as you set the value. Alternatively, you can use an online tool for generating the md5Hash value as you add records to the table or "Link the system variable to external source" and edit it outside of QIE.
As far as Secure Sockets, I'm not aware of any username/password approaches. It would depend on the format of the payload and where you would put a username/password. You can always control which clients connect to the server via a Client Authenticated TLS connection by providing a Client Certificate to the authorized endpoints.
Hope it helps.