Keep in mind that if you want to have passwords
which are not sent in plaintext and don't want to use
ssl you will have to have some
javascript to do it, which would mean people with
javascript turned off would not be able to log in to
your site (well at least as far as I can see).
Or we could use digest authentication as mentioned
(and I think we should probably provide that as an option
since it has some value -- one particularly useful way to
use it is to password protect an entire dev site rather than
count on the openacs authentication working in dev)
but it does mean that the browser will then be responsible
for popping up its standard password window. Digest authentication
protects passwords but provides very little in the way of
security beyond that (although if we issue more restrictive nonce's that is not strictly true).
Also I think there are also browser support issues for digest authentication (ns4 doesn't do it iirc)...
I think the javascript hashing of the password is a waste and digest authentication has some value but it's not without some real drawbacks too.
