I don't have much expertise on security but what I do agree that sending the password in clear text over the wire is too risky and not recommended. And if you even hash it, it does not shield you from hackers attacks since they don't even need the real password if they know the MD5 hash value that's being sent by sniffing the connection packets or airwaves and finding the hash.
This also does not include the risk of session hijacking when one does not have SSL which protects against eves dropping, amongst other things.
Interesting reading you can read to get more exposure on security.
There is some article which helps to deal with situation when you use JS and you don't have https. It requires hashing coupled with challenge key both on client and server. It helps to minimize the risks but not completely though.
While it is widely used, it is not safe.
I'm currently working of something which deals with security as the topic of this thread. Briefly, it deals with handling password through image recognition similarly done with some site to prevent bot but with a twist.
Let me explain. Instead of entering password, user will be asked to click his password through randomly assigned position that visually he knows where to click to match his password. Bot can't do that and if the buffer happened to be defeated and sniffed, it can't be really used because of time token and session id associated with it will invalidate it. And more, the next time, this password is resent, it will be either expired or incorrect since it is going be changed again preventing from guessing it right each time. The reason for this is the challenge image is not the same for each time the login is invoked. Then, only and only the server knows and how to decrypt it to decode it and perform custom authentication to database. That's the idea.
Hopefully, I can soon integrate that feature to the current game in progress!