I would vote for not returning the password as part of getting the user profile. We prefer to change password data separately from changing profile data - and we're not modifying existing password data with our custom application.
I can see situations where changing passwords through the web service would be desirable, though, so perhaps a separate method for password manipulation would be in order? In our case, though, we prefer not to know the user's password, so returning the password through a web service method doesn't give us anything - we'd prefer to use a web service method through which we'd pass the password data (in plain text over SSL) for changing passwords.
|