The passwords are stored SHA1 encrytped in the database along with a GPG encrypted version w/ email which is encrypted with a private key that I hold.
The issue is the session login code is completely plain text.. It would be nice to have TLS support at login.
I've delt with this crap before, and it's a pain the the butt. you have to register with some central authority or else a "do you trust.." pop-up appears on the client.
any ideas?