If you ask me, I will not use encrypted logins other than SSL. As soon as the sessions are involved, I switch to SSL, because session theft without SSL is too easy. Also, SSL allows me to protect my pages with Basic-Auth, so I don’t even need a session.
So it’s best to consider switching your blog entirely to SSL. Please note that to use SSL on your server you just need an SSL certificate. There is a company that offers free ssl certificate for $ 0 per year. Also note that Google and all major search engines can handle https pages without any problems.
I missed 1000 lines of answer on how to implement my own secure password scheme using JavaScript and AJAX over insecure lines, because it is difficult to implement.
It comes to my mind two options for secure login without JavaScript and without SSL :
There is a cheap one time password USB . You just plug it into a USB port, push a button, it creates OTP and here you go. Since this is OTP, it is valid only once, therefore it does not reproduce and there are no problems when it sniffs.
Another OpenID case that is used here in stackoverflow. OpenID does not require SSL between the server and the client. Please note that this USB token above is already included and OpenID.
Both methods offer boot shelves for free libraries for implementation using PHP or other languages. This, of course, is easier to implement than creating a properly designed and secure password scheme over insecure lines.
One big caveat:
If you use sessions because of insecure strings, and logins usually use sessions, be sure to protect the session, at least from the IP you see. This should be implemented on the server side. Thus, if someone steals a Cookie session, the session cannot be used (ab), provided that the thief does not use the same wLAN (or computer) as you.