1) a secure server doesn't have to cost money, if you stick with open source projects and don't get a signed certificate. (signed by the Big boys (Verisign) at least).

2) Don't use /etc/password with the web at all. If you don't have an SSL connection, that userid/password is sent in plaintext, and could give any blackhat the info to login to your box via that account. Update: oh, you meant LIKE /etc/password. Yeah, you could do that, but again, without the encrypted connection it's not secure. (You'll be as secure as telnet)

3) Without an ecrypted session, there's no way to guarantee the security of the data. You can encrypt the data, but either you use something on the box side as the key, or you use something user-provided.