yes there are situations like that but then it could just submit the form (which would happen anyway) and check the plaintext password like normally if the other mechanism fails. If people have js turned on it would simply increase security a little. The crucial part is just the sending of the password. Since it will not be a SSL url security aware ppl will not use their high priority passwords anyway. It's just for sites like facebook where you dont have to do money transactions etc. Tim-Hinnerk Heuer http://www.ihostnz.com Fred Allen - "California is a fine place to live - if you happen to be an orange." 2009/2/17 Jason Pruim <jason@xxxxxxxxxxxxxx> > > On Feb 16, 2009, at 6:11 AM, German Geek wrote: > > Brilliant. Someone who understood my intentions :) It's not only a good >> exercise but also useful. Once done in PHP and various JS frameworks, we >> could port it to other languages. Would suggest to support as many as we >> can >> because they all have pros and cons. PHP first tho :) . Maybe just good >> old >> javascript as a start although the frameworks make it a lot easier. Who on >> earth has Javascript turned off these days anyway? I don't know anyone who >> is that paranoid. Sorry if someone here is but i believe if you are scared >> of javascript you might as well not turn on a computer. There are always >> going to be security holes. >> >> > There are people who aren't in control of the computer they use. Such as > anyone in a big corporation... The IT department might have decided to turn > off javascript support to help protect their companies internal assets. > > Or Alot of people who use mobile devices that don't have java support. > > All I'm saying is there is a chance that even people who would want to > leave java on normally might be in situations where they can't have it on. > :) > > >