There are at least three different topics.
One topic is what OpenACS should do by default. This is mostly what I was asking about in the original post. It seems that a system like OpenACS should default to something that does not send passwords in the clear, but what do I know.
Another topic is what openacs.org should do.
Another topic is how to solve my needs. If I were going to use OpenACS, the best situation would probably be if OpenACS used a JavaScript digest-like protocol, or Digest, by default. The next best option is probably to use SSL for the login sequence and to not use SSL for the rest of the site.
I hope nobody goes out of their way trying to help me find a solution right now -- I am probably going to use something other than OpenACS. Thanks to those that tried to help with passwords.
