This is mostly a hack back when SSL/TLS wasn't widespread.
It doesn't work against an adversary that can intercept and change your packets ("Mallory"). If properly implemented, it can work against an adversary that can only observe them ("Eve"), but I've seen implementations that just hash your password before sending it on the wire. In that case, you just have the same problem as before, but the hashed version of your password is your "real" password.
It doesn't work against an adversary that can intercept and change your packets ("Mallory"). If properly implemented, it can work against an adversary that can only observe them ("Eve"), but I've seen implementations that just hash your password before sending it on the wire. In that case, you just have the same problem as before, but the hashed version of your password is your "real" password.