While millions of forums and blogs on the Internet today transmit your password in clear text when you login, the most common way to protect your password is to simply hash the password in your browser before transmitting it over to the server. We often use MD5, SHA1, SHA256 or SHA512 to accomplish that. Hashing is an one way trip, meaning once the password is hashed, in theory it cannot be undone. So the server would never know what your password really is, but it can compare the hash with the copy stored in a database to verify your login, because same text would result in the same hash. But this method has some vulnerabilities, your username or login handle cannot be hashed (otherwise, we don’t know who you are), hackers can capture the hashed password and replay your login at a later time, meaning they still know who you are and how to pretend to be you. They just won’t know your sensitive password which you might be using in other important places where you really should not, like the bank. And in some cases, the servers need to store your password in a revertible way due to some special reasons, then they cannot use hash algorithms to do that.
So the better way is to use RSA public key encryption. The idea is to encrypt your username or login handle with the password on the client side and decrypted later on the server side. The safe way to do such encryption is to use RSA Public/Private Key Pair system. This system allows anyone with the Public Key to encrypt data, but never be able to decrypt encrypted data. Only the person with the corresponding Private Key can ever decrypt the data. The Private Key is kept safe and secure on the server, the Public Key is published. So your browser would get the Public Key and encrypt your username + password with it, send the encrypted message to the server. The server will decrypt the message using the Private Key that only it knows, and extract the username and password. If someone intercepted the encrypted message in the way, he would not be able to decrypted even if he knows the well-known Public Key, therefore, your username and password remains hidden.
However, no secure system is perfect. The biggest vulnerability of this method is Man-in-the-middle attack. Someone could pose as the server and publish his own Public Key to all the clients and fool them to believe that they should use his Public Key to encrypt data instead of the real Public Key. The clients would encrypted the data using the fake key and send it to the attacker. The attacker would then be able to decrypt that message, and re-encrypt it with the real Public Key and send it to the real server. Neither the server or the clients would notice the man in the middle. The problem relies in the lack of a trust system, meaning there is no system in place to verify a Public Key, not like the SSL certificates system.