Dismissing javascript so readily is a bit harsh. It is available on the vast majority of browsers installed
But not *every*
Authentication isn't exactly an operation where you want
almost all of your users to be able to complete...it's either do or don't, there is no try...
If someone can't login...geuranteed your getting support calls or worse yet complaints or the worsetestest...complete objection to using your application period.
It's not like, using javascript to make data entry a little more friendly...or something related to usability, etc...
If you don't have javascript available to encrypt, then passwords sent in the clear, wouldn't get decrypted properly and you user wouldn't be authenticated. Period.
Poor man's SSL (javascript) is ok under vertical market software I suppose, but I wouldn't ever implement anything like that myself, because it's fixing a round hole using a square block...if security is that important...use SSL.
Dismissing it and removing its potential benefit to end users is a poor excuse just because there's a few exceptions in the crowd
Hmmmm...I can't agree...considering authentication again, isn't something that can *maybe* work for most users...it either works or it doesn't...
Sure you could use work arounds (for those who didn't have javascript) to allow either, but again, adding bloat and complexity, when, if security was that important, you should be using SSL...
Do you know how easy it is to sniff network traffic without SSL present? Do a google search for "sniffer"...
That easy eh? I challenge you then, to capture any text I send over the wire with MSN, etc...Perhaps easy in principle but much more difficult in practice my friend. Getting your packet sniffer where it has to be in order to "sniff" packets is a whole different story...
I just realized a fault in my own approach
Glad I haven't used that technique on anything serious
bah...back to the drawing board and investigation into public key encryption again...
I wonder...if you stored the IP of the authenticated user in with the user/pass upon login...so long as the IP address stayed the same, which it should under most circumstances (unless on dialup) you could decrypt on the server, compare the IP and if the IP were the same, allow authentication.
This would prevent someone from simply copy/pasting encrypted user/pass pairs into their own cookies and assuming someone's identity, as they would likely be hard pressed being capable of guessing the any users IP address. Perhaps other userAgent data as well to further add entropy...???
Hmmmm...that could work

Not perfect, but a helluva lot better than storing user/pass in the plain I would think...