Without encryption, no simple form of password authentication is secure. The client's entries or cookies are in the open to be sniffed.

Get SSL or change servers. If this is in-house, and the budget won't cover security, you can set up a Linux box from a surplus 486 to act as a front end. You may need to keep it a secret.

There are boatloads of modules on CPAN to help do this given a sane environment.

After Compline,
Zaxo