Passwords are rarely hashed client side. It doesn't matter, though, if you have enough control over a server to listen to POSTs for unhashed passwords, you probably have enough to inject some script and capture them on the client side.
True, but then you have to mimic the form submission without alerting the user. It's certainly possible, but much less feasible compared to just passive logging of all POSTs that have a field called [password|pw|pass|passwd].
I guess if you're targeting a single site the difference is small.
It would be just slightly more complicated to inject a script that POSTs back anything typed into a password field.
Hashing passwords client-side would just provide a false sense of security. Surely if it's worth doing it, it would be worth the cost of an SSL certificate and the overhead of protecting (a minimum of) all pages and requests handling passwords?
Not even that. You simply have to delete the JavaScript that hashes them on the client side, and have the browser send them unhashed (which is the default behaviour of HTML forms).
