Secure Login without HTTPS

Still working on my secure login without HTTPs. My non-comprehensive list of desired qualities:

  • Never send password in a reversible encoding.
  • Try to avoid replay attacks and session hijacking.
  • Protect against brute force attacks on intercepted data.
  • Protect against browser plugins.

Progress is coming along nicely. The authentication and validation steps are working, which means I have a functioning system. Next I need to exercise it and make sure it works in practice.