This page demonstrates client-side challenge-response HMAC-SHA-256 hashing of a user submitted password before it is sent to the server. It also uses a time-based challenge to hash the password a second time. This makes it possible to use form-based login without requiring the server to know the password, and also protects against replay attacks of captured logins.
SHA-256 implementation:
A JavaScript implementation of the Secure Hash Algorithm, SHA-256 Version 0.3 Copyright Angel Marin 2003-2004 - http://anmar.eu.org/ Distributed under the BSD License Some bits taken from Paul Johnston's SHA-1 implementation
The HMAC-SHA-256 implementation has been added by me, with a little help from PasswordMaker.
I got the XMLHttpRequest snippet to get the challenge from Mozilla.org