I'm working on a small website for a local church. The site needs to allow administrators to edit content and post new events/updates. The only "secure" information managed by the site will be the admins' login info and a church directory with phone numbers and addresses.
How at risk would I be if I were to go without SSL and just have the users login using straight HTTP? Normally I wouldn't even consider this, but it's a small church and they need to save money wherever possible.
Plain HTTP is vulnerable to sniffing. If you don't want to buy SSL certificates, you can use self-signed certificates and ask your clients to trust that certificate to circumvent the warning shown by the browser (as your authenticated users are just a few known admins, this approach makes perfect sense).
Well, if you don't use SSL, you will always be at a higher risk for someone trying to sniff your passwords. You probably just need to evaluate the risk factor of your site.
Also remember that even having SSL does not guarentee that your data is safe. It is really all in how you code it to make sure you provide the extra protection to your site.
I would suggest using a one way password encryption algorythm and validate that way.
Also, you can get SSL certificates really cheap, I have used Geotrust before and got a certification for 250.00. I am sure there are those out there that are cheaper.
In the scenario you describe regular users would be exposed to session hijacking and all their information would also be transferred "in the clear". Unless you use a trusted CA the administrators might be exposed to a Man-in-the-middle attack.
Instead of a self-signed cert you might want to consider using a certificate from CAcert and installing their root certs in the admin's browser.
Since only your admins will be using the secure session, just use a self-signed certificate. It's not the best user experience, but it's better to keep that information secure.
Realistically, it's much more likely that one of the computers used to access the website will be compromised by a keylogger than the HTTP connection will be sniffed.
Use HTTPS with a free certificate. StartCom is free, and included in by Firefox browsers; since only your administrators will be logging in, they can easily import the CA if they want to use IE.
Don't skimp on security. Anecdotally, I have seen websites that sound similar to yours defaced just for kicks. It's something worth taking pains to avoid.
I second Wayne Hartman. Just download OpenSSL and create a self-signed certificate. There's plenty of documentation on how to use OpenSSL, and it is very flexible.