Analysis and my personal, tentative conclusions:
- hmac-md5 / hmac-sha is good, but not entirely portable across services / protocols, AFAIK
- http digest is good, but has the same problem
- crypt-md5 is popular, but not very efficient, and probably not suitable for client-side javascript implementation (same with crypt-blowfish)
- RSA is a possible solution, and public / private keys could be generated and regenerated at random, and would withstand password updates initiated by the user through various channels
- Storing multiple password hash formats in a database is another option, though updates to the password would require a special mechanism
- I like unix / linux user management because it goes through extensive scrutiny, therefore I like the idea of extending off of some form of ldap, nss, and pam
- I don't think its a good idea for all services to use the same credentials, though it might be helpful for them all to be tied to same user entity - for example, I'd mind much less if my jabber credentials were compromised than if one of my shell accounts were compromised