I noticed when looking at the templates for mvc internet applications the password is sent from the client to the server in plaintext, although I believe it is probably encrypted/hashed+salted when stored in the database.
Is the best thing to increase security here to enable SSL/HTTPS only or would it also be best to hash the password on the client side so it couldnt be intercepted en-route to the server or is this overkill?
Is there anything in the asp.net framework or 3rd party tools that would help with such a client side encryption/hashing?
The correct solution here is to use SSL encrypted page (and SSL post back – meaning post to the same ssl page, or to other ssl page)
If you try to encrypt it or hash it before send it with javascript you just make your code more complicate and not add so much to the security of it.
To say some more thinks, let say that some one in the middle get the post back values, then the hash of the password is usual 48 to 128 bit, less than the SSL security that have a key f 2048 bits. So no special gain if you hash the password before send it.
It came to my mind one more issue : if you make the hash of the password on client side then you expose your key, and if some one get your key, then can create from the hash, passwords that give the same hash. So do not make the hash/salt of your password on client because you have also a security issue.