Analysis and my personal, tentative conclusions: * hmac-md5 / hmac-sha is good, but not entirely portable across services / protocols, AFAIK* http digest is good, but has the same problem* crypt-md5 is popular, but not very efficient, and probably not suitable for client-side javascript implementation (same with crypt-blowfish)* RSA is a possible solution, and public / private keys could be generated and regenerated at random, and would withstand password updates initiated by the user through various channels* Storing multiple password hash formats in a database is another option, though updates to the password would require a special mechanism* I like unix / linux user management because it goes through extensive scrutiny, therefore I like the idea of extending off of some form of ldap, nss, and pam* I don't think its a good idea for all services to use the same credentials, though it might be helpful for them all to be tied to same user entity - for example, I'd mind much less if my jabber credentials were compromised than if one of my shell accounts were comprimised
