Last modified: 2013-06-18 16:44:18 UTC
We've done the occasional experiment based on using client-side hashing of the password, but implementing it means you have to be very careful about how you implement your password hashing and internal salting. Greg Maxwell pointed out this cute little JavaScript RSA library: http://www.ohdave.com/rsa/ Using something like this would allow for submitting the password encrypted using a public key from the server; while this would not protect against any sort of active attack, it would prevent local network traffic sniffing from seeing plaintext passwords. (Note that while an HMAC could help protect against replay, but you're still stuck with session hijacking.)
I'm just gonna WONTFIX this out; while it's plausible to protect against password sniffing, nobody seems willing to commit to it, and we've been pushing more SSL stuff which of course does a far better job of protecting your session.