But if someone can sniff the password, there's a reasonable chance they can also do a man in the middle attack to insert malicious javascript to send the password in the clear anyway. It really seems like all you're doing is confusing novice admins as to whether they'll need SSL or not to protect communications.
Message: 4 Date: Wed, 9 Nov 2005 22:49:34 -0500 From: Moshe Weitzman <weitzman@tejasa.com> Subject: Re: [development] Re: [drupal-devel] Securing Login: MD5 password hashing using javascript
getting back to the topic, i'd love to see javascript hashing of password. this is used in phpmyadmin and many other projects.
keyloggers have nothing to do with this. do folks think they are being smart when they post 'but this won't stop a keylogger'? no shit. that sort of post only serves to derail an otherwise useful conversation. please resist the temptation.