Just a clarification about the previous post. Mainly we need to figure out the conditions under which User X can modify User X's password locally vs sending them somewhere else to do it. I didn't mean to imply that we try to deal with remote authorization databases in this round (bleah).
