RSA is useless for WEB. An eavesdropper acquire server public key, client public key, encrypted password, take a dictionary of passwords, encrypt every possible passowd and compare result. There is only one encription needed to check one password from a dictionary or 30^6 checks to test all up to 6 character passwords. There is RFC 2945 - The SRP Authentication and Key Exchange System . http://en.wikipedia.org/wiki/Secure_remote_password_protocol
RSA encryption will give a false sense of security to web programmers.
