HTTPS is the obvious solution to build secure connection between client and server. Unfortunately, it may not the answer to all web applications. For some reasons, you cannot afford
SSL or it's not necessary to use it. Anyway, even if you don't have SSL you can still provide security one level up. Because of that most of users use same password for all online web applications, their accounts are vulnerable. Same password might be used for online banking and any simple web forums. If I capture a password used in a forum web site I'm able to use same password to access the victim's online banking account. For that reason, you have to be more careful when you connect public wireless network.
 |
| client side encryption |
It's always possible to listen and monitor the network and capture packages which is sent and received between client and server. If your client's password is sent in a plain text to your server, it can be captured easily by listening your client's network. In order to protect your client's password you can use
MD5,
SHA-1, and
SHA-2 which are cryptographic hash functions. On client side, you can encrypt your client's password then send it to the server to validate. On server side, passwords must be stored in your database by using cryptographic hash functions to match two encrypted strings; one of them sent by client and another stored on database. Because, when it's encrypted by cryptographic hash functions it cannot be decrypted into the original string. This solution is called one-way encryption.
As I said, this doesn't provide comprehensive safe environment. But it protects password in plain text to be seen by watchers who listen your client's network.
Here you can find open source project written in javascript to encrypt plain text by using cryptographic hash functions.
http://code.google.com/p/crypto-js/