Password hashing (non-SSL)

Question

How is the password sent from browser to server in case of non-ssl transfer?

I want to use bcrypt to hash password+salt before sending.... but it seems there is no javas

Answer 1

Your method seems very insecure. But to approach your questions...

1. The same way it would be sent over SSL, just unencrypted.
2. No, MD5 is not good enough, even over SSL. If you are truly worried about security, then why would you choose a cracked algorithm that can be deciphered using a multitude of web services online (this has been the focus of a few sprited debates here on SO).
3. Even if you hash the passwords before sending them, you are doing this CLIENT SIDE. This means that your hash and your algorithm are exposed and shown to every end user. As a result, a well to do hacker now knows exactly how you are sending the passwords.

In closing, just get at least a $20 SSL cert from GoDaddy if you want to secure your site/text during transfer from client to server. Encrypt your passwords on the server side before storing to your DB.