With all of this discussion of password security lately one question I have is why browsers send the contents of a "password" input in plain text at all. Why not have the browsers preform a preliminary one way hash before even sending the data to the server.
True that this is definately not the entire answer to the password storage questions (I know Bcrypt, Bcrypt, Bcrypt) but it would at least be a step in the correct direction and if done properly it would probably eliminate the current epidemic of sites choosing to just store passwords in the clear.
To avoid attackers sniffing something they can replay, you need to transmit `salted_hash (whatever_is_stored_in_database)`.<p>This still leaves the issue of setting your password in the first place. You have to transmit something an attacker could replay --- your only option for protecting it is tls. So you might as well use tls for protecting passwords when logging in as well, and then you don't need the browser to do anything clever with passwords.