What's the best way to hash the user password at the client browser, before sending it to the web server, so that only the hash goes out, not the plain-text password?
EDIT: assuming HTTP is used (not HTTPS)
What's the best way to hash the user password at the client browser, before sending it to the web server, so that only the hash goes out, not the plain-text password?
EDIT: assuming HTTP is used (not HTTPS)
Use javascript to calculate the hash. See this for an example on how to calculate SHA-1 hashes in JS.
Beware that if you make yourself dependant on Javascript, your system will fail as soon as someone has JS disabled. You should use HTTPS if this is a concern to you, which has its own setbacks (e.g. certificates cost money if you want them to be immediately accepted by browsers.)
Try using this jQuery encryption plugin. Out of curiosity, what's wrong with using SSL/HTTPS and encrypting at the server side?
This site has quite comprehensive hashing/crypto stuff: JavaScript Encryption Library
JavaScript side encryption like the jQuery Encryption library stops Eavesdroppers. However, MITM (Man-in-the-Middle) can still occur. SSL/TLS is the ultimate choice that is highly recommended to take unless you are on shared hosting (no dedicated IPs) or your site is receiving so much traffic that you can't simply encrypt all connections (JS, CSS, HTML, ...).
Why would you bother doing this? Effectively, the password hash has become the password and a a man-in-the-middle who intercepts the hash can use it to authenticate and perform any action as the user. On the other hand, if you don't believe in the man-in-the-middle, why not just send the password itself?