Here is what I got for a webapp login scheme. Present in database would be two salts and hmac(hmac(password, salt1), salt2).
When the user go on the login page, he gets salt1. If he has javascript activated, instead of sending the plaintext password, it would send hmac(password, salt1). If he does not have javascript, the plaintext password is sent.
So, on the serverside, when getting a login request, we'd first check what is sent (passwordSent) against hmac(passwordSent, salt2). If it does not work, we'd try hmac(hmac(passwordSent, salt1), salt2).
Someone getting access to the database should not be able to login with the password hashes and I don't think (but I may be wrong) that multiples hmacs diminish the hash resistance. Do any good crypto expert see any obvious error I may have done ?