Passing the password as an MD5 hash isn't any better than passing it in the clear, if it weren't done over SSL. Just thought I'd point it out and make it explicit.

I've done something similar in the past. If we wanted to be truly paranoid we'd implement S/Key. (I wish I had my JavaScript S/Key implementation working, maybe someday...).

UPDATE: Some reading on S/Key; RFC 1938, RFC 2289

--
perl -pe "s/\b;([st])/'\1/mg"