Our failure to connect on this point seems to be getting militant.
I'm not suggesting that nothing should be done to solve the plaintext password problem.
I'm suggesting that your proposed solution does very little to address the incident that motivated you to post it (the Gawker compromise).
Instead of advocating for your solution, I'm encouraging you to advocate for a much, much better solution. The only downside I can see to my suggestion over your suggestion, apart from the fact that it requires approximately 50 lines more code, is that you didn't come up with it.
Are we looking at different RFC 5054's? I got mine off Trevor Perrin's site, and it specifies SRP, not SHA1. My point is SRP; it's not the specific RFC number.
