Steve
The reason is pretty simple. Even if you hash the hash, you are still sending the authentication token that the server cares about, in plain text across the internet. This could allow for a replay attack. Nothing can prevent that except for implementing SSL at least on the authentication page.
I have to roll my eyes whenever I think of an adobe web services thing I set up. Adobe had us pass the hash of our password as the authentication token. They would then do an exact comparison with the hash in their database. At this point it doesn't matter what the original password was! The hash is now the password... and it was being sent in cleartext... :)
Brad /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
