Browser password managers have me stumped

Question

I am working on a login dialog to my site. To spare users the frustration of having to remember their login details, I want to cooperate with the built-in browser password managers. I have worked out that to get Firefox to play ball, I must use a plain-vanilla HTML Form. Fine, so be it. However, I will not transfer unencrypted passwords. So my form content looks like so:

input#1 type="text" name="login"
input#2 type="password"
input#3 type="hidden" name="passwd"

I then intercept the submit and encrypt the content of #2 into #3, and off goes the form. Works a treat in IE and Firefox, not so in Opera and Chrome. Just rifled around SO and find that the problem is input#2, which does not have a "name" attribute. A quick test reveals that when I add name="ignore" it does work indeed in Chrome and Opera. Only trouble is that the password is now sent across the network plain text, with the label "ignore". Thanks a bunch. The whole point of omitting the "name" was to omit that field from the form.

If there a way that I can suppress input#2 from being sent while still giving it a "name"? Or is there another trick I could use?

Thanks.

Answer 1

The answer in the narrowest sense of the original question is: yes, it is possible via Ajax. Create a vanilla FORM with two named INPUTs and submit BUTTON. (Don't forget to feign some action in the FORM attributes.) Now it looks like a plain-text HTML affair. Next in JS, intercept the onsubmit from the FORM and launch an Ajax request to your PHP script, POSTing the plain login and hashed password. Return FALSE from onsubmit to suppress the FORM's action. You're done. No more plain-text passwords across the wire...