Sending passwords over SSL should be sufficient in most cases. Hashing the password on the client side is slightly better and would provide better protection for those who use SSL (wouldn't want to encourage that, though).
I think the only immediate need, though, is support for per-password salting.
