Forget plain text. Password can be sent in the form of
cryptographic hash function; and only the hash should be stored and later used in authentication.
But even this would be unsafe, unless the connection itself is properly encrypted; it should use
HTTPS, not HTTP:
http://en.wikipedia.org/wiki/HTTPS[
^].
The idea behind this vulnerability is: at the moment when the password is first set up, the hash value can be eavesdropped by spying in the HTTP packages in transition. The person who captured the hash value won't know the original password, as well as anyone else except the person who knows it, but such person (the spy) can use this hash value later to impersonate the legitimate user, log in and access all the personal data. HTTPS can prevent this trick.
About the use of cryptographic hash function, please see my past answers:
i already encrypt my password but when i log in it gives me an error. how can decrypte it[
^],
Decryption of Encrypted Password[
^],
storing password value int sql server with secure way[
^],
TCP Connection with username and password[
^].
[EDIT — to answer OP's follow-up question on how on implementation of the function]
Everything is already implemented for you:
Client side:
http://code.google.com/p/crypto-js[
^].
Server side:
http://msdn.microsoft.com/en-us/library/system.security.cryptography.hashalgorithm%28v=vs.110%29.aspx[
^].
Also, see my past answers I referenced above and Wikipedia articles to understand my warning against using MD5 or SHA-1. You can use the algorithm from SHA-2 family.
—SA