I will echo mercuryus , Do Not send usernames and passwords unprotected over the internet.
I use a complicated hashing system that protects username/passwords against all attacks except for man-in-the-middle or compromised browsers (which can remove my client-side hashing).
I could explain in PMs if you are interested.
As for your issue, 400 and 500 responses are server side errors (most likely).
400 means your URL is bad. (either a malformed URL on the client side, or your document is not where it should be on your server)
500 means your server is erroring off.