I think I'm going to go with .htaccess that ask's LDAP (zimbra) for the user ID and password.
I all ready have the .htaccess ready but we have not used it anywhere yet because the LDAP is not SSL protected.
Anyway we can use somekind of phpmyadmin account and change it's password regularly to avoid problems like this.
Most ordinary clients do not use MySQL tools anyway. And those who need to use them can ask for a password.
PS. How often you guys change the mysql root password?