I've been using javascript md5 (http://pajhome.org.uk/crypt/md5/index.html) in order to convert a plain text password into a hash before submitting it to a login script using POST but the following quote (found under "Protecting the password on the server at http://pajhome.org.uk/crypt/md5/auth.html) from the Javascript MD5 website has confused me over the whole benefit of using javascript in the first place.
I don't understand how the protection is still worthwile: Isn't it true that all a hacker would have to do is intercept the HTTP transmission, from it obtain the md5 hash of the password and then simply disable javascript and paste the md5 hash into the password field? I've tried this and it does in fact give me access!Observant readers may notice that the value the server stores is a "password equivalent", i.e. if you knew just that then you could login. However, the protection is still worthwhile, because its main purpose is to stop an attacker using captured passwords on a different server.
So what's the benefit??