[eluser]Rob Pomeroy[/eluser]
[quote author="Ben Edmunds" date="1284001974"]IMHO there is absolutely no point in encrypting the passwords before you send them through the pipe with Javascript.[/quote]
Yeah, I admit this was only really covering the case of a wire sniffer, rather than a full-blown man-in-the-middle attack. Plus there's a fairly high overhead asking a browser to hash and re-hash.
Now to take a good look at your library! I'll be wanting to drop in reCAPTCHA, OpenID and possibly LDAP in due course... Thanks for all you've done. If I come up with any resuable code I'll be sure to fork it.