There are a number of authentication schemes which can work securely over plain HTTP. The most common of these is Digest, which is supported by all major web browsers and virtually every web programming framework.
The down-side of using Digest for web sites is that:
The authentication is handled by the browser itself rather than a login page on the web site, which doesn't look nearly as nice, and doesn't allow you to have all the surrounding helper functions like "forgot your password?" that we've come to expect nowadays.
If you have no SSL connection, savvy users may feel worried that they are sending their password insecurely (even though they aren't) because they've been trained to look for an SSL connection when entering credentials.
There are other schemes such as OAuth which also are safe over plain HTTP, but that is really more for APIs than web sites, so probably isn't what you want.