if anything is *truly* secure.

Well, isn't that less secure?

it is less secure... does Twitter do the same?

Most sites do that.

Wow...I didn't realize they both did that. Learn something new every day.

that it's a huge pain in the butt to set up https, which is why most webapps don't bother encrypting passwords outside of the db.

I'm not necessarily saying HTTPS, but could they at least hash the passwords or something? I know little of developing web sites.

Hm, that's a good idea—hashing it before sending the data. The people who don't have JS enabled wouldn't be secure, though.

But they wouldn't be able to view the site either, no?

Then the hashkey would be public, so it doesn't exactly help.

well, no—you could just use a SHA1 hash, and match it up with the one from the database.

With the people who have javascript disabled, you could do what you did before—hash the supplied password, then match it up with the db's.

True.

Man, I am completely lost.