damn you guys worry me. SSL does not protect against the arp poisoning MITM attack. It would be fatal to worship SSL as you guys are. You must have a way to encrypt the password on the client side before it makes even one hop or else even a novice hacker will be able to intercept the password in plaintext

One should also be very aware of potential security vulnerabilities when building an application that utilises Ajax.

The following site has some really good info in regards to Ajax and XSS or XSRF Attacks http://www.isecpartners.com/files/isec-attacking_ajax_applications.bh2006.pdf

Don't forget that when you make a remote function accessible to a javascript call, a user could simply guess the function call and modify it to do his/her bidding.

As others have mentioned, it's no more dangerous than sending an HTTP post from a form. In fact, it's the very same thing.

But if HTTPS isn't an option you can always use a challenge/response scheme over an unencrypted connection. Basically it works like this:

• Server has a SHA (or whatever hashing algorithm you prefer) hash of the user's password.
• Client has the password.
• Client requests (using unencrypted AJAX) that the server send a challenge (a random string of bytes; characters are fine.)
  
• Server creates a challenge and a challenge ID, and saves it with an expiration.
• Client recieves the challenge and challenge ID.
• Client hashes the password using SHA.
• Client hashes the resulting hash with the challenge appended in some way.
• Client sends the challenge ID (not the challenge itself) and the second resulting hash.
• Server looks up challenge using ID if it exists and hasn't expired.
• Server appends the challenge to the stored password hash and creates a hash using the same scheme as the client.
• Server compares its hash with the client. If it's the same, the user is authenticated.

It's actually pretty simple to set up once you get the idea. Wikipedia has some additional information on it.

EDIT: I noticed I forgot to mention, whether or not the authentication is successful you must delete the challenge, regardless. Giving the client multiple attempts on one challenge could lead to security issues.

You are sending it in the clear, so anyone with sniffing/listening/etc the client's network will be able to easily see the password. The AJAX call is just a plain old HTTP message. If you want to see this in action, fire up a copy of wireshark and make the request your self. You will be able to see the password in the HTTP packet.

The plain text password transmitted via AJAX will be as secure as the same password transmitted via a normal HTTP post. That is to say AJAX uses HTTP and can therefore be intercepted and sniffed. Your best bet is to use HTTPS (SSL).

For further reading on AJAX and security I'd recommend the following readings

• Top 10 Ajax Security Holes and Driving Factors
• Ajax security holes and how to fill them

Whether you are sending the password via AJAX or via a normal form, it is still sent via a HTTP POST (hopefully) request. So you are not adding or removing anything security wise.

The only way to prevent someone from intercepting your password is by using SSL (via AJAX or not).