Even if we follow Coyote's advice and use session keys, there are still security implications. When the user first sends his password, it will be plaintext. Anybody between your user and the webmail server could pull the password off of the network.

The only universally supported system that I can think of is SSL. 128-bit encryption is way better than hashing passwords or using session keys. In theory, you shouldn't even need to use session keys (but you should, because two layers of security are better than one). Plus, with SSL, everything is encrypted, so your users network can't be sniffed to find out the content of messages (but the mailservers can).

To wrap it up, session keys have worked, and still do, SSL encryption is better, but nothing is perfect. A determined cracker could probably still get access to the contents of your user's mail, but you will be making it a lot harder for him.

--
IndyZ