A PASSWORD specification in a Technique is alike an INPUT one, but it (optionnaly) takes a new parameter, HASH, specifying a hash algorithm to use. If none is specified (or "USER" is), then the hash algo is chosen when filling the directive.
Ex:
<PASSWORD>
<NAME>USERGROUP_USER_PASSWORD</NAME>
<DESCRIPTION>Password for this account</DESCRIPTION>
<CONSTRAINT>
<MAYBEEMPTY>true</MAYBEEMPTY>
</CONSTRAINT>
<HASH>SHA256</HASH>
</PASSWORD>
An alternative could be to be able to choose among a list of HASH, and having the list of all HASH available if none specified. Something like: <HASH>md5,sha1</HASH> will let the user choose among MD5 or SHA1, and <HASH /> (or no HASH tag) => full list of algo.
An alternative implementation to PASSWORD specification would have been to create a "password" type for input, and not a new field kind (it wasn't clear at the begining that it will be possible, but now it seems to be).
HASH could be in the constraint tag (it seems more natural with a PASSWORD tag to have HASH directly as a children, but for INPUT CONSTRAIN -> type=password, it seems more natural to have HASH as a constraint to.
Updated by 
Updated by 
Updated by Jonathan CLARKE 
Updated by