Let me add my two cents. using JS to do a challenge based MD5 auth -- not bad. md5(challenge + md5(password)) -- no replayability, no reveal of md5 hash of password. is this necessary? do not think so, but a contrib module indeed could do this, I think. As I linked in the issue there are already ready made implementations (phplib). If it's done right and it's popular, I won't object for it to move it into core. As for blogapi logins -- of course, SSL is a better solution but the above would suffice for the many users who do not blogapi. But as it has been mentioned in the thread, the problem is that a vast majority of users are running from Windows where malware is pretty common... and you can't protect your users from them unless you do some real heavy trickery. Regards NK