Comment 1 for bug 1065447

Here's how I'm going to do this. You post to http://.../users/{id}/login and the form data must contain exactly one parameter `cleartext_password`. If the value matches the stored, hashed password, an HTTP 204 (No Content) is returned. If they do not match, an HTTP 403 (Forbidden) is returned. There is no content body in either case, and thus the POST creates no addressable resource.

The nice thing is that this will support hash migration as per passlib.