The problem with this scheme is that, although you've hidden the password, you've made the MD5 of the password equivalent to the password for your application. For example, if I sniff or shoulder-surf a session from this user and see that they're using user=sgifford&passwd=MD5ENCODEDSTRING, then I can simply log on to your system by sending these same parameters, even though I don't know the password.

You really want to consider using sessions here, or just putting the username and password in hidden form fields to protect them from shoulder-surfing, and using SSL to protect them across the network.