Quote Originally Posted by prigole View Post
Has there been proposed any solution that enables (salted) hashed passwords to be sent to the server rather than cleartext passwords? We are in a similar situation where we can't use https (client's company policy) and we would really like to scramble the passwords before sending them over the wire.
You cannot do this. If you just send a scrambled/hashed password in a single request, then it has the same value to an attacker as the plaintext password. They can just send the same scrambled value themselves to gain access.

The only alternative is to use a protocol like SRP to authenticate.