If no encryption can be in place, you should hash the password on the client side (salted with a random salt provided by the server) and compare the resulting hash.

This approach has two advantages:

1. the hashed value is different each login
2. the password is never sent in plain text.

However, without encryption and proper authentication, session hijacking and such attacks are trivial.

Please note that there is no way to make this secure enough to foil any attack attempt of a reasonably competent malicious party without some sort of encryption/authentiaction layer on top of http, so it is probably for the best not to give the users any sense of false security, mmkay?

The biggest problem in the “let’s only make the log-in as secure as possible” is that session side-jacking attack is rather trivial without encryption. Sidejacking (as defined in Wikipedia) is:

Session sidejacking, where the attacker uses packet sniffing to read network traffic between two parties to steal the session cookie. Many web sites use SSL encryption for login pages to prevent attackers from seeing the password, but do not use encryption for the rest of the site once authenticated. This allows attackers that can read the network traffic to intercept all the data that is submitted to the server or web pages viewed by the client. Since this data includes the session cookie, it allows him to impersonate the victim, even if the password itself is not compromised.[3] Unsecured Wi-Fi hotspots are particularly vulnerable, as anyone sharing the network will generally be able to read most of the web traffic between other nodes and the access point.