Password hashing (non-SSL)

Question

How is the password sent from browser to server in case of non-ssl transfer?

I want to use bcrypt to hash password+salt before sending.... but it seems there is no javas

Answer 1

I always recommend people use SSL where they can, but for completeness, it should be noted that it is possible to perform authentication securely without SSL through careful implementation of HMAC -- Hash-Based Message Authentication Code.

You must be sure to use a cryptographically secure hash algorithm with HMAC (I'd suggest SHA-224 or better), and you must remember that although you can authenticate without revealing the key/password this way, your data still has to be transmitted in cleartext, so this can't be used as a substitute to SSL for things like credit card transactions etc.