I have my authentication on my web app running on the devise gem. I was wondering if it was secure. Yes, it stores the passwords as hashes in the database, uses encrypted tokens after logging in etc. But how about in the initial log in phase? Does it send the user's password unencrypted over the air (I dont have SSL)? Could it have the client encrypt it with a certain public key that only the server could decrypt? Or is SSL the only way to encrypt the user's password?
Thanks!